log4j12/CVE-2021-4104.patch

From: Markus Koschany <apo@debian.org>
Date: Mon, 31 Jan 2022 11:18:33 +0100
Subject: CVE-2021-4104

Origin: https://github.com/qos-ch/reload4j/commit/fb7b1ff1c8beb8544933248d00a46e9e30547e87
Origin: https://github.com/qos-ch/reload4j/commit/e65c98bbba48cb877e057992847114f1f0923da6
---
 .../java/org/apache/log4j/net/JMSAppender.java     | 11 ++---
 src/main/java/org/apache/log4j/net/JNDIUtil.java   | 54 +++++++++++++++++++++
 .../java/org/apache/log4j/net/JNDIUtilTest.java    | 55 ++++++++++++++++++++++
 3 files changed, 114 insertions(+), 6 deletions(-)
 create mode 100755 src/main/java/org/apache/log4j/net/JNDIUtil.java
 create mode 100755 src/test/java/org/apache/log4j/net/JNDIUtilTest.java

diff --git a/src/main/java/org/apache/log4j/net/JMSAppender.java b/src/main/java/org/apache/log4j/net/JMSAppender.java
index 3482702..c390aef 100644
--- a/src/main/java/org/apache/log4j/net/JMSAppender.java
+++ b/src/main/java/org/apache/log4j/net/JMSAppender.java
@@ -32,7 +32,6 @@ import javax.jms.TopicPublisher;
 import javax.jms.TopicSession;
 import javax.naming.Context;
 import javax.naming.InitialContext;
-import javax.naming.NameNotFoundException;
 import javax.naming.NamingException;
 import java.util.Properties;
 
@@ -241,12 +240,12 @@ public class JMSAppender extends AppenderSkeleton {
   }
 
   protected Object lookup(Context ctx, String name) throws NamingException {
-    try {
-      return ctx.lookup(name);
-    } catch(NameNotFoundException e) {
-      LogLog.error("Could not find name ["+name+"].");
-      throw e;
+    Object result = JNDIUtil.lookupObject(ctx, name);
+        if (result == null) {
+            String msg = "Could not find name [" + name + "].";
+            throw new NamingException(msg);
     }
+    return result;
   }
 
   protected boolean checkEntryConditions() {
diff --git a/src/main/java/org/apache/log4j/net/JNDIUtil.java b/src/main/java/org/apache/log4j/net/JNDIUtil.java
new file mode 100755
index 0000000..3a66a05
--- /dev/null
+++ b/src/main/java/org/apache/log4j/net/JNDIUtil.java
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.log4j.net;
+
+import javax.naming.Context;
+import javax.naming.NamingException;
+
+public class JNDIUtil {
+
+	// See https://jakarta.ee/specifications/platform/8/platform-spec-8.html#a616
+	// there are the java:comp, java:module, java:app, java:global namespaces
+	public static final String JNDI_JAVA_NAMESPACE = "java:";
+
+	static final String RESTRICTION_MSG = "JNDI name must start with " + JNDI_JAVA_NAMESPACE + " but was ";
+
+	public static Object lookupObject(Context ctx, String name) throws NamingException {
+		if (ctx == null) {
+			return null;
+		}
+
+		if (isNullOrEmpty(name)) {
+			return null;
+		}
+
+		jndiNameSecurityCheck(name);
+
+		Object lookup = ctx.lookup(name);
+		return lookup;
+	}
+
+	private static boolean isNullOrEmpty(String str) {
+		return ((str == null) || str.trim().length() == 0);
+	}
+
+	public static void jndiNameSecurityCheck(String name) throws NamingException {
+		if (!name.startsWith(JNDI_JAVA_NAMESPACE)) {
+			throw new NamingException(RESTRICTION_MSG + name);
+		}
+	}
+}
diff --git a/src/test/java/org/apache/log4j/net/JNDIUtilTest.java b/src/test/java/org/apache/log4j/net/JNDIUtilTest.java
new file mode 100755
index 0000000..2439bc7
--- /dev/null
+++ b/src/test/java/org/apache/log4j/net/JNDIUtilTest.java
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.log4j.net;
+
+import static org.junit.Assert.fail;
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+
+import org.junit.Test;
+
+
+/**
+ * Test copied form the logback project with permission.
+ * 
+ * @author Ceki Gulcu
+ *
+ */
+public class JNDIUtilTest {
+
+	@Test
+	public void ensureJavaNameSpace() throws NamingException {
+
+		try {
+			Context ctxt = new InitialContext();
+			JNDIUtil.lookupObject(ctxt, "ldap:...");
+		} catch (NamingException e) {
+			String excaptionMsg = e.getMessage();
+			if (excaptionMsg.startsWith(JNDIUtil.RESTRICTION_MSG))
+				return;
+			else {
+				fail("unexpected exception " + e);
+			}
+		}
+
+		fail("Should aNot yet implemented");
+	}
+
+
+}
\ No newline at end of file