This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch coheigea/jndi-allow-list in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 8c11a67ae093cdcd1a1ea5973063114c50d93526 Author: Colm O hEigeartaigh <[email protected]> AuthorDate: Fri May 23 12:26:48 2025 +0100 Switch to an allow list of protocols for JNDI --- .../main/java/org/apache/cxf/transport/jms/util/JndiHelper.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java b/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java index 1f07ac0ffc..37904909a4 100644 --- a/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java +++ b/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java @@ -18,6 +18,8 @@ */ package org.apache.cxf.transport.jms.util; +import java.util.Arrays; +import java.util.List; import java.util.Properties; import javax.naming.Context; @@ -27,6 +29,8 @@ import javax.naming.NamingException; public class JndiHelper { + private static final List<String> ALLOWED_PROTOCOLS = Arrays.asList( + "vm://", "tcp://", "nio://", "ssl://", "http://";, "https://";, "ws://", "wss://"); private Properties environment; /** @@ -37,8 +41,7 @@ public class JndiHelper { // Avoid unsafe protocols if they are somehow misconfigured String providerUrl = environment.getProperty(Context.PROVIDER_URL); - if (providerUrl != null && (providerUrl.startsWith("ldap://";) - || providerUrl.startsWith("rmi://"))) { + if (providerUrl != null && !ALLOWED_PROTOCOLS.stream().anyMatch(providerUrl::startsWith)) { throw new IllegalArgumentException("Unsafe protocol in JNDI URL: " + providerUrl); } }
