(cxf) branch 3.6.x-fixes updated: Switch to an allow list of protocols for JNDI (#2422)

Fri, 23 May 2025 06:15:13 -0700 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.6.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/3.6.x-fixes by this push:
     new fea6e10577 Switch to an allow list of protocols for JNDI (#2422)
fea6e10577 is described below

commit fea6e10577e0243791bd664bcc68b706bf1256a0
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Fri May 23 14:05:09 2025 +0100

    Switch to an allow list of protocols for JNDI (#2422)
    
    (cherry picked from commit e60a4cd00b978eeec5312f0cdca9e6d40a4f8248)
    (cherry picked from commit 91d7869d93f38b7d72255bb44c68df05d194476a)
---
 .../main/java/org/apache/cxf/transport/jms/util/JndiHelper.java    | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git 
a/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
 
b/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
index 1f07ac0ffc..37904909a4 100644
--- 
a/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
+++ 
b/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
@@ -18,6 +18,8 @@
  */
 package org.apache.cxf.transport.jms.util;
 
+import java.util.Arrays;
+import java.util.List;
 import java.util.Properties;
 
 import javax.naming.Context;
@@ -27,6 +29,8 @@ import javax.naming.NamingException;
 
 public class JndiHelper {
 
+    private static final List<String> ALLOWED_PROTOCOLS = Arrays.asList(
+        "vm://", "tcp://", "nio://", "ssl://", "http://";, "https://";, "ws://", 
"wss://");
     private Properties environment;
 
     /**
@@ -37,8 +41,7 @@ public class JndiHelper {
 
         // Avoid unsafe protocols if they are somehow misconfigured
         String providerUrl = environment.getProperty(Context.PROVIDER_URL);
-        if (providerUrl != null && (providerUrl.startsWith("ldap://";)
-                || providerUrl.startsWith("rmi://"))) {
+        if (providerUrl != null && 
!ALLOWED_PROTOCOLS.stream().anyMatch(providerUrl::startsWith)) {
             throw new IllegalArgumentException("Unsafe protocol in JNDI URL: " 
+ providerUrl);
         }
     }

Reply via email to