This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 3.6.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 8d26f00b092981e1b2dabd0bbf373294b04a25d2 Author: Colm O hEigeartaigh <[email protected]> AuthorDate: Tue May 20 15:47:32 2025 +0100 Forbid LDAP/RMI from JndiHelper (#2414) (cherry picked from commit 24e50ffeca3132570c2f297c5c7dbd05a1bb1bfa) (cherry picked from commit 4f717df024c7a218f1ba56fda1dfe0fb430a3959) --- .../apache/cxf/transport/jms/util/JndiHelper.java | 7 +++++++ .../cxf/transport/jms/JMSConfigFactoryTest.java | 23 ++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java b/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java index 009443db36..1f07ac0ffc 100644 --- a/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java +++ b/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java @@ -34,6 +34,13 @@ public class JndiHelper { */ public JndiHelper(Properties environment) { this.environment = environment; + + // Avoid unsafe protocols if they are somehow misconfigured + String providerUrl = environment.getProperty(Context.PROVIDER_URL); + if (providerUrl != null && (providerUrl.startsWith("ldap://";) + || providerUrl.startsWith("rmi://"))) { + throw new IllegalArgumentException("Unsafe protocol in JNDI URL: " + providerUrl); + } } @SuppressWarnings("unchecked") diff --git a/rt/transports/jms/src/test/java/org/apache/cxf/transport/jms/JMSConfigFactoryTest.java b/rt/transports/jms/src/test/java/org/apache/cxf/transport/jms/JMSConfigFactoryTest.java index f785a0f571..aeade8c485 100644 --- a/rt/transports/jms/src/test/java/org/apache/cxf/transport/jms/JMSConfigFactoryTest.java +++ b/rt/transports/jms/src/test/java/org/apache/cxf/transport/jms/JMSConfigFactoryTest.java @@ -19,6 +19,9 @@ package org.apache.cxf.transport.jms; +import java.util.Properties; + +import javax.naming.Context; import javax.naming.NamingException; import javax.transaction.TransactionManager; import javax.transaction.xa.XAException; @@ -36,6 +39,26 @@ import org.junit.Test; public class JMSConfigFactoryTest extends AbstractJMSTester { + @Test + public void testJndiForbiddenProtocol() throws Exception { + Properties env = new Properties(); + env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); + env.put(Context.PROVIDER_URL, "ldap://127.0.0.1:12345";); + // Allow following referrals (important for LDAP injection) + env.put(Context.REFERRAL, "follow"); + + JMSConfiguration jmsConfig = new JMSConfiguration(); + jmsConfig.setJndiEnvironment(env); + jmsConfig.setConnectionFactoryName("objectName"); + + try { + jmsConfig.getConnectionFactory(); + Assert.fail("JNDI lookup should have failed"); + } catch (Exception e) { + Assert.assertTrue(e.getMessage().contains("Unsafe protocol in JNDI URL")); + } + } + @Test public void testUsernameAndPassword() throws Exception { EndpointInfo ei = setupServiceInfo("HelloWorldService", "HelloWorldPort");
