[jira] [Commented] (JCR-5135) Make JNDI support opt-in

Manfred Baedke (Jira) Tue, 08 Apr 2025 06:06:31 -0700


    [ 
https://issues.apache.org/jira/browse/JCR-5135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17941885#comment-17941885
 ]


Manfred Baedke commented on JCR-5135:
-------------------------------------

jackrabbit trunk: 
[7a319093|https://github.com/apache/jackrabbit/commit/7a319093c9864111bb86c9895148e580e0f8259a]
jackrabbit-site: 
[b14d345c|https://github.com/apache/jackrabbit-site/commit/b14d345c95246c8649c503d147e1d3c27f204215]

> Make JNDI support opt-in
> ------------------------
>
>                 Key: JCR-5135
>                 URL: https://issues.apache.org/jira/browse/JCR-5135
>             Project: Jackrabbit Content Repository
>          Issue Type: Task
>          Components: jackrabbit-jcr-commons
>            Reporter: Julian Reschke
>            Assignee: Manfred Baedke
>            Priority: Major
>              Labels: candidate_jackrabbit_2.22
>             Fix For: 2.24, 2.23.2
>
>
> Support for JNDI is inherently dangerous, because it can load classes from 
> another location. Users of the method might not be aware when using it and 
> just pass parameter values without
> sanitization. It would probably also be good to add a warning to the method 
> and state that parameters should come from configuration and not passed in 
> from an end user.
> (ack [~mreutegg] )



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (JCR-5135) Make JNDI support opt-in

Reply via email to