carterkozak commented on a change in pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#discussion_r760363447
##########
File path:
log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
##########
@@ -168,21 +206,89 @@ protected boolean releaseSub(final long timeout, final
TimeUnit timeUnit) {
* @throws NamingException if a naming exception is encountered
*/
@SuppressWarnings("unchecked")
- public <T> T lookup(final String name) throws NamingException {
+ public synchronized <T> T lookup(final String name) throws NamingException
{
+ try {
+ URI uri = new URI(name);
+ if
(!allowedProtocols.contains(uri.getScheme().toLowerCase(Locale.ROOT))) {
+ LOGGER.warn("Log4j JNDI does not allow protocol {}",
uri.getScheme());
+ return null;
+ }
+ if (LDAP.equalsIgnoreCase(uri.getScheme()) ||
LDAPS.equalsIgnoreCase(uri.getScheme())) {
+ if (!allowedHosts.contains(uri.getHost())) {
+ LOGGER.warn("Attempt to access ldap server not in allowed
list");
+ return null;
+ }
+ Attributes attributes = this.context.getAttributes(name);
Review comment:
I want to make sure that `context.getAttributes(name)` verifies against
the same data (cached without any sort of refresh or network call) as the
subsequent call to `context.lookup(name)`, otherwise the verification isn't
very helpful.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
