You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@cocoon.apache.org by ja...@apache.org on 2022/12/18 21:54:58 UTC

svn commit: r1906077 - /cocoon/branches/cocoon-2.2.1/core/cocoon-sitemap/cocoon-sitemap-components/src/main/java/org/apache/cocoon/components/modules/input/NamingInputModule.java

Author: javier
Date: Sun Dec 18 21:54:58 2022
New Revision: 1906077

URL: http://svn.apache.org/viewvc?rev=1906077&view=rev
Log:
COCOON-2372: Add security note about JNDI injection in NamingInputModule.

Modified:
    cocoon/branches/cocoon-2.2.1/core/cocoon-sitemap/cocoon-sitemap-components/src/main/java/org/apache/cocoon/components/modules/input/NamingInputModule.java

Modified: cocoon/branches/cocoon-2.2.1/core/cocoon-sitemap/cocoon-sitemap-components/src/main/java/org/apache/cocoon/components/modules/input/NamingInputModule.java
URL: http://svn.apache.org/viewvc/cocoon/branches/cocoon-2.2.1/core/cocoon-sitemap/cocoon-sitemap-components/src/main/java/org/apache/cocoon/components/modules/input/NamingInputModule.java?rev=1906077&r1=1906076&r2=1906077&view=diff
==============================================================================
--- cocoon/branches/cocoon-2.2.1/core/cocoon-sitemap/cocoon-sitemap-components/src/main/java/org/apache/cocoon/components/modules/input/NamingInputModule.java (original)
+++ cocoon/branches/cocoon-2.2.1/core/cocoon-sitemap/cocoon-sitemap-components/src/main/java/org/apache/cocoon/components/modules/input/NamingInputModule.java Sun Dec 18 21:54:58 2022
@@ -34,7 +34,11 @@ import java.util.Properties;
  * <p>This module accept any configuration parameters and passes them as
  * properties to the InitialContext. When connecting to the Naming context
  * of the server Cocoon is running in, no parameters are required.</p>
- *
+ * <br/>
+ * <p><b>Security note:</b> Use secure parameters only with this module as
+ * it performs a JNDI lookup that can be exploited for remote code execution
+ * (RCE).</p>
+ * <br/>
  * <p>Example module configuration when connecting to external WebLogic server:
  * <pre>
  *   &lt;java.naming.factory.initial&gt;weblogic.jndi.WLInitialContextFactory&lt;/java.naming.factory.initial&gt;