You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Dawid Weiss (JIRA)" <ji...@apache.org> on 2018/02/12 13:07:00 UTC

[jira] [Commented] (LOG4J2-1959) Disable DTD processing in XML configuration files

    [ https://issues.apache.org/jira/browse/LOG4J2-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16360715#comment-16360715 ] 

Dawid Weiss commented on LOG4J2-1959:
-------------------------------------

Perhaps I don't understand log4j2 enough, but this issue hit us recently. We have multiple configurations corresponding to different "levels" of logging verbosity. These (XML) configurations reused large fragments of loggers and appender configs using entity inclusion from shared files. This no longer works and is (quietly) ignored, resulting in a different behavior (parts of previous configuration silently ignored).

Unfortunately xinclude is not a solution because those "shared" XMLs contained only fragments of the final XML (say, configuration for a few loggers, not all of them), and they didn't have a proper root XML tag (so cannot be included). I had some hopes for xpointer, but no luck (xpointer never really caught on).

> Disable DTD processing in XML configuration files
> -------------------------------------------------
>
>                 Key: LOG4J2-1959
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1959
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: Configurators
>    Affects Versions: 2.8.2
>            Reporter: Mikael Ståldal
>            Assignee: Mikael Ståldal
>            Priority: Major
>             Fix For: 2.9.0
>
>
> For security reasons, DTD processing should be disabled when parsing XML configuration files.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)