fix: Add resource: protocol to allowed URL schemes by default

ppkarwasz · ppkarwasz · commit 084a636bdc6f · 2025-07-01T13:34:13.000+02:00
This update includes `resource:` in the list of allowed URL schemes for retrieving configuration files. See [`log4j2.configurationAllowedProtocols`](https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.configurationAllowedProtocols) Currently, the `resource:` protocol is used exclusively by a `URLStreamHandler` that retrieves files from the embedded resources in a GraalVM native image. This makes it a secure and appropriate source for trusted configuration files. This change cannot be easily and reliably tested through a unit test. An integration test will be provided in apache/logging-log4j-samples#345 Closes #3790
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java
@@ -51,7 +51,23 @@ public class UrlConnectionFactory {
     private static final String HTTP = "http";
     private static final String HTTPS = "https";
     private static final String JAR = "jar";
-    private static final String DEFAULT_ALLOWED_PROTOCOLS = "https, file, jar";
+    /**
+     * Default list of protocols that are allowed to be used for configuration files and other trusted resources.
+     * <p>
+     *     By default, we trust the following protocols:
+     * <dl>
+     *     <dt>file</dt>
+     *     <dd>Local files</dd>
+     *     <dt>https</dt>
+     *     <dd>Resources retrieved through TLS to guarantee their integrity</dd>
+     *     <dt>jar</dt>
+     *     <dd>Resources retrieved from JAR files</dd>
+     *     <dt>resource</dt>
+     *     <dd>Resources embedded in a GraalVM native image</dd>
+     * </dl>
+     */
+    private static final String DEFAULT_ALLOWED_PROTOCOLS = "file, https, jar, resource";
+
     private static final String NO_PROTOCOLS = "_none";
     public static final String ALLOWED_PROTOCOLS = "log4j2.Configuration.allowedProtocols";
 
diff --git a/src/changelog/.2.x.x/3790_allow-resource-protocol.xml b/src/changelog/.2.x.x/3790_allow-resource-protocol.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<entry xmlns="https://logging.apache.org/xml/ns"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="
+           https://logging.apache.org/xml/ns
+           https://logging.apache.org/xml/ns/log4j-changelog-0.xsd"
+       type="fixed">
+  <issue id="3790" link="https://github.com/apache/logging-log4j2/issues/3790"/>
+  <description format="asciidoc">
+    Allow `resource:` protocol for configuration files by default.
+  </description>
+</entry>
