packages/log4j12
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
log4j12/CVE-2021-4104.patch
wk333 fdf748765f Fix cves 
(cherry picked from commit 571db5722d6f4f5349a54ffb8575f9dcd2049c09)
2022-02-09 14:19:33 +08:00

167 lines
5.7 KiB
Diff
Raw Blame History

From: Markus Koschany <apo@debian.org>
Date: Mon, 31 Jan 2022 11:18:33 +0100
Subject: CVE-2021-4104
Origin: https://github.com/qos-ch/reload4j/commit/fb7b1ff1c8beb8544933248d00a46e9e30547e87
Origin: https://github.com/qos-ch/reload4j/commit/e65c98bbba48cb877e057992847114f1f0923da6
---
.../java/org/apache/log4j/net/JMSAppender.java | 11 ++---
src/main/java/org/apache/log4j/net/JNDIUtil.java | 54 +++++++++++++++++++++
.../java/org/apache/log4j/net/JNDIUtilTest.java | 55 ++++++++++++++++++++++
3 files changed, 114 insertions(+), 6 deletions(-)
create mode 100755 src/main/java/org/apache/log4j/net/JNDIUtil.java
create mode 100755 src/test/java/org/apache/log4j/net/JNDIUtilTest.java
diff --git a/src/main/java/org/apache/log4j/net/JMSAppender.java b/src/main/java/org/apache/log4j/net/JMSAppender.java
index 3482702..c390aef 100644
--- a/src/main/java/org/apache/log4j/net/JMSAppender.java
+++ b/src/main/java/org/apache/log4j/net/JMSAppender.java
@@ -32,7 +32,6 @@ import javax.jms.TopicPublisher;
import javax.jms.TopicSession;
import javax.naming.Context;
import javax.naming.InitialContext;
-import javax.naming.NameNotFoundException;
import javax.naming.NamingException;
import java.util.Properties;
@@ -241,12 +240,12 @@ public class JMSAppender extends AppenderSkeleton {
}
protected Object lookup(Context ctx, String name) throws NamingException {
- try {
- return ctx.lookup(name);
- } catch(NameNotFoundException e) {
- LogLog.error("Could not find name ["+name+"].");
- throw e;
+ Object result = JNDIUtil.lookupObject(ctx, name);
+ if (result == null) {
+ String msg = "Could not find name [" + name + "].";
+ throw new NamingException(msg);
}
+ return result;
}
protected boolean checkEntryConditions() {
diff --git a/src/main/java/org/apache/log4j/net/JNDIUtil.java b/src/main/java/org/apache/log4j/net/JNDIUtil.java
new file mode 100755
index 0000000..3a66a05
--- /dev/null
+++ b/src/main/java/org/apache/log4j/net/JNDIUtil.java
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.log4j.net;
+
+import javax.naming.Context;
+import javax.naming.NamingException;
+
+public class JNDIUtil {
+
+ // See https://jakarta.ee/specifications/platform/8/platform-spec-8.html#a616
+ // there are the java:comp, java:module, java:app, java:global namespaces
+ public static final String JNDI_JAVA_NAMESPACE = "java:";
+
+ static final String RESTRICTION_MSG = "JNDI name must start with " + JNDI_JAVA_NAMESPACE + " but was ";
+
+ public static Object lookupObject(Context ctx, String name) throws NamingException {
+ if (ctx == null) {
+ return null;
+ }
+
+ if (isNullOrEmpty(name)) {
+ return null;
+ }
+
+ jndiNameSecurityCheck(name);
+
+ Object lookup = ctx.lookup(name);
+ return lookup;
+ }
+
+ private static boolean isNullOrEmpty(String str) {
+ return ((str == null) || str.trim().length() == 0);
+ }
+
+ public static void jndiNameSecurityCheck(String name) throws NamingException {
+ if (!name.startsWith(JNDI_JAVA_NAMESPACE)) {
+ throw new NamingException(RESTRICTION_MSG + name);
+ }
+ }
+}
diff --git a/src/test/java/org/apache/log4j/net/JNDIUtilTest.java b/src/test/java/org/apache/log4j/net/JNDIUtilTest.java
new file mode 100755
index 0000000..2439bc7
--- /dev/null
+++ b/src/test/java/org/apache/log4j/net/JNDIUtilTest.java
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.log4j.net;
+
+import static org.junit.Assert.fail;
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+
+import org.junit.Test;
+
+
+/**
+ * Test copied form the logback project with permission.
+ *
+ * @author Ceki Gulcu
+ *
+ */
+public class JNDIUtilTest {
+
+ @Test
+ public void ensureJavaNameSpace() throws NamingException {
+
+ try {
+ Context ctxt = new InitialContext();
+ JNDIUtil.lookupObject(ctxt, "ldap:...");
+ } catch (NamingException e) {
+ String excaptionMsg = e.getMessage();
+ if (excaptionMsg.startsWith(JNDIUtil.RESTRICTION_MSG))
+ return;
+ else {
+ fail("unexpected exception " + e);
+ }
+ }
+
+ fail("Should aNot yet implemented");
+ }
+
+
+}
\ No newline at end of file
Reference in New Issue View Git Blame Copy Permalink