rgoers commented on a change in pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#discussion_r759847957
##########
File path:
log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
##########
@@ -17,31 +17,76 @@
package org.apache.logging.log4j.core.net;
+import java.io.Serializable;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
import javax.naming.Context;
-import javax.naming.InitialContext;
+import javax.naming.NameClassPair;
+import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
+import javax.naming.Referenceable;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
import org.apache.logging.log4j.core.appender.AbstractManager;
import org.apache.logging.log4j.core.appender.ManagerFactory;
import org.apache.logging.log4j.core.util.JndiCloser;
+import org.apache.logging.log4j.core.util.NetUtils;
+import org.apache.logging.log4j.util.PropertiesUtil;
/**
- * Manages a JNDI {@link javax.naming.Context}.
+ * Manages a JNDI {@link javax.naming.directory.DirContext}.
*
* @since 2.1
*/
public class JndiManager extends AbstractManager {
+ public static final String ALLOWED_HOSTS = "allowedLdapHosts";
+ public static final String ALLOWED_CLASSES = "allowedLdapClasses";
+
private static final JndiManagerFactory FACTORY = new JndiManagerFactory();
+ private static final String PREFIX = "log4j2.";
+ private static final List<String> permanentAllowedHosts = new
ArrayList<>();
+ private static final List<String> permanentAllowedClasses = new
ArrayList<>();
+ private static final String LDAP = "ldap";
+ private static final String SERIALIZED_DATA = "javaserializeddata";
+ private static final String CLASS_NAME = "javaclassname";
+ private static final String REFERENCE_ADDRESS = "javareferenceaddress";
+ private static final String OBJECT_FACTORY = "javafactory";
+ private final List<String> allowedHosts;
+ private final List<String> allowedClasses;
+
+ static {
+ permanentAllowedHosts.addAll(NetUtils.getLocalIps());
+ permanentAllowedClasses.add(Boolean.class.getName());
+ permanentAllowedClasses.add(Byte.class.getName());
+ permanentAllowedClasses.add(Character.class.getName());
+ permanentAllowedClasses.add(Double.class.getName());
+ permanentAllowedClasses.add(Float.class.getName());
+ permanentAllowedClasses.add(Integer.class.getName());
+ permanentAllowedClasses.add(Long.class.getName());
+ permanentAllowedClasses.add(Number.class.getName());
Review comment:
This comment is on the first commit. The second commit added filtering
by protocol.
I haven't added a complete kill switch and wasn't planning to. Rather than
doing that I think it would be better to figure out a generic way to "hide"
plugins.
More importantly, the class is abstract so can never appear here. I am not
inspecting sub-classes, only the actual class being instantiated. I will remove
Number.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
