ppkarwasz commented on PR #540: URL: https://github.com/apache/commons-configuration/pull/540#issuecomment-2646115589
> Indeed loading configurations from untrusted locations with `JNDIConfiguration` would likely be unsafe, just like loading untrusted configuration definitions/declarations. Assuming those are trusted the configuration files 'themselves' should not allow triggering arbitrary code execution or DoS, though, right? Yes, but that is not what I understand, when reading: > For Commons Configuration 2.x, loading untrusted configuration files or performing operations > on them should not allow code execution, and should not cause any denial of service situations. What I understand here is that even if you allow external users to supply configuration files and you process them through Commons Configuration, no DoS or code execution will be triggered. This is IMHO impossible to guarantee and we will have to publish CVEs like the recent one in Logback: [CVE-2024-12798](https://www.cve.org/CVERecord?id=CVE-2024-12798). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
