packages/log4j
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
log4j/CVE-2021-44228-3.patch
starlet-dx dbce122982 fix CVE-2021-44228 
(cherry picked from commit 3ec2ef9b5f83e82fdcbd0390038e8a92aa1cdabc)
2021-12-11 15:10:28 +08:00

113 lines
6.4 KiB
Diff
Raw Blame History

From 5f81dd218aab36bf1c6a7410c88c29594bb1a0e7 Mon Sep 17 00:00:00 2001
From: Ralph Goers <rgoers@apache.org>
Date: Tue, 30 Nov 2021 22:38:22 -0700
Subject: [PATCH] Rename test. Various minor fixes
---
.../logging/log4j/core/net/JndiManager.java | 31 +++++++++++++------
...est.java => JndiRestrictedLookupTest.java} | 4 +--
...-import.ldif => JndiRestrictedLookup.ldif} | 0
3 files changed, 24 insertions(+), 11 deletions(-)
rename log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/{JndiLdapLookupTest.java => JndiRestrictedLookupTest.java} (98%)
rename log4j-core/src/test/resources/{java-import.ldif => JndiRestrictedLookup.ldif} (100%)
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
index 613a0551da..b392b938b4 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
@@ -21,12 +21,15 @@
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.HashMap;
import java.util.List;
import java.util.Locale;
+import java.util.Map;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
import javax.naming.Context;
+import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
@@ -58,13 +61,12 @@
private static final List<String> permanentAllowedHosts = NetUtils.getLocalIps();
private static final List<String> permanentAllowedClasses = Arrays.asList(Boolean.class.getName(),
Byte.class.getName(), Character.class.getName(), Double.class.getName(), Float.class.getName(),
- Integer.class.getName(), Long.class.getName(), Number.class.getName(), Short.class.getName(),
- String.class.getName());
+ Integer.class.getName(), Long.class.getName(), Short.class.getName(), String.class.getName());
private static final List<String> permanentAllowedProtocols = Arrays.asList(JAVA, LDAP, LDAPS);
- private static final String SERIALIZED_DATA = "javaserializeddata";
- private static final String CLASS_NAME = "javaclassname";
- private static final String REFERENCE_ADDRESS = "javareferenceaddress";
- private static final String OBJECT_FACTORY = "javafactory";
+ private static final String SERIALIZED_DATA = "javaSerializedData";
+ private static final String CLASS_NAME = "javaClassName";
+ private static final String REFERENCE_ADDRESS = "javaReferenceAddress";
+ private static final String OBJECT_FACTORY = "javaFactory";
private final List<String> allowedHosts;
private final List<String> allowedClasses;
private final List<String> allowedProtocols;
@@ -218,8 +220,18 @@ protected boolean releaseSub(final long timeout, final TimeUnit timeUnit) {
}
Attributes attributes = this.context.getAttributes(name);
if (attributes != null) {
- Attribute classNameAttr = attributes.get(CLASS_NAME);
- if (attributes.get(SERIALIZED_DATA) != null) {
+ // In testing the "key" for attributes seems to be lowercase while the attribute id is
+ // camelcase, but that may just be true for the test LDAP used here. This copies the Attributes
+ // to a Map ignoring the "key" and using the Attribute's id as the key in the Map so it matches
+ // the Java schema.
+ Map<String, Attribute> attributeMap = new HashMap<>();
+ NamingEnumeration<? extends Attribute> enumeration = attributes.getAll();
+ while (enumeration.hasMore()) {
+ Attribute attribute = enumeration.next();
+ attributeMap.put(attribute.getID(), attribute);
+ }
+ Attribute classNameAttr = attributeMap.get(CLASS_NAME);
+ if (attributeMap.get(SERIALIZED_DATA) != null) {
if (classNameAttr != null) {
String className = classNameAttr.get().toString();
if (!allowedClasses.contains(className)) {
@@ -230,7 +242,8 @@ protected boolean releaseSub(final long timeout, final TimeUnit timeUnit) {
LOGGER.warn("No class name provided for {}", name);
return null;
}
- } else if (attributes.get(REFERENCE_ADDRESS) != null || attributes.get(OBJECT_FACTORY) != null){
+ } else if (attributeMap.get(REFERENCE_ADDRESS) != null
+ || attributeMap.get(OBJECT_FACTORY) != null) {
LOGGER.warn("Referenceable class is not allowed for {}", name);
return null;
}
diff --git a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java
similarity index 98%
rename from log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java
rename to log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java
index a26d927da4..032c9c4d85 100644
--- a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java
+++ b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java
@@ -36,7 +36,7 @@
/**
* JndiLookupTest
*/
-public class JndiLdapLookupTest {
+public class JndiRestrictedLookupTest {
private static final String LDAP_URL = "ldap://127.0.0.1:";
private static final String RESOURCE = "JndiExploit";
@@ -48,7 +48,7 @@
@Rule
public EmbeddedLdapRule embeddedLdapRule = EmbeddedLdapRuleBuilder.newInstance().usingDomainDsn(DOMAIN_DSN)
- .importingLdifs("java-import.ldif").build();
+ .importingLdifs("JndiRestrictedLookup.ldif").build();
@BeforeClass
public static void beforeClass() {
diff --git a/log4j-core/src/test/resources/java-import.ldif b/log4j-core/src/test/resources/JndiRestrictedLookup.ldif
similarity index 100%
rename from log4j-core/src/test/resources/java-import.ldif
rename to log4j-core/src/test/resources/JndiRestrictedLookup.ldif
Reference in New Issue View Git Blame Copy Permalink