This is an automated email from the ASF dual-hosted git repository.
asoldano pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/main by this push:
new 7393edb431 [CXF-9160] Make JMS allowed JNDI protocols whitelist
configurable
7393edb431 is described below
commit 7393edb431b1368f2060d287dfbf0d6d05f47b6a
Author: Richard Opálka <[email protected]>
AuthorDate: Fri Aug 22 15:22:09 2025 +0200
[CXF-9160] Make JMS allowed JNDI protocols whitelist configurable
---
.../apache/cxf/transport/jms/util/JndiHelper.java | 36 ++++++++++++++++++++--
1 file changed, 33 insertions(+), 3 deletions(-)
diff --git
a/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
b/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
index 81ff0f6a57..ef98b6b3e5 100644
---
a/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
+++
b/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
@@ -18,21 +18,50 @@
*/
package org.apache.cxf.transport.jms.util;
+import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collections;
import java.util.List;
import java.util.Properties;
+import java.util.function.Predicate;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NameNotFoundException;
import javax.naming.NamingException;
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.common.util.SystemPropertyAction;
+
public class JndiHelper {
- private static final List<String> ALLOWED_PROTOCOLS = Arrays.asList(
- "vm://", "tcp://", "nio://", "ssl://", "http://";, "https://";, "ws://",
"wss://");
+ /**
+ * JVM/System property name holding allowed jms protocols.
+ */
+ private static final String CONFIGURED_JMS_PROTOCOLS = "jms.protocols";
+ /**
+ * Constant holding default allowed jms protocols.
+ */
+ private static final String DEFAULT_JMS_PROTOCOLS =
"vm,tcp,nio,ssl,http,https,ws,wss";
+ private static final List<String> ALLOWED_PROTOCOLS;
private Properties environment;
+ static {
+ final String jmsProtocols =
SystemPropertyAction.getProperty(CONFIGURED_JMS_PROTOCOLS,
DEFAULT_JMS_PROTOCOLS);
+ if (StringUtils.isEmpty(jmsProtocols)) {
+ ALLOWED_PROTOCOLS = Collections.emptyList();
+ } else {
+ final List<String> allowedProtocols = new ArrayList<>();
+ Arrays
+ .stream(jmsProtocols.split(","))
+ .map(String::trim)
+ .filter(Predicate.not(String::isEmpty))
+ .map(s -> s + "://")
+ .forEach(allowedProtocols::add);
+ ALLOWED_PROTOCOLS = Collections.unmodifiableList(allowedProtocols);
+ }
+ }
+
/**
* Create a new JndiTemplate instance, using the given environment.
*/
@@ -41,7 +70,8 @@ public class JndiHelper {
// Avoid unsafe protocols if they are somehow misconfigured
String providerUrl = environment.getProperty(Context.PROVIDER_URL);
- if (providerUrl != null &&
!ALLOWED_PROTOCOLS.stream().anyMatch(providerUrl::startsWith)) {
+ if (providerUrl != null && !providerUrl.isEmpty()
+ && !ALLOWED_PROTOCOLS.stream().anyMatch(providerUrl::startsWith)) {
throw new IllegalArgumentException("Unsafe protocol in JNDI URL: "
+ providerUrl);
}
}
