You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@cocoon.apache.org by ja...@apache.org on 2022/12/18 21:54:58 UTC
svn commit: r1906077 - /cocoon/branches/cocoon-2.2.1/core/cocoon-sitemap/cocoon-sitemap-components/src/main/java/org/apache/cocoon/components/modules/input/NamingInputModule.java
Author: javier
Date: Sun Dec 18 21:54:58 2022
New Revision: 1906077
URL: http://svn.apache.org/viewvc?rev=1906077&view=rev
Log:
COCOON-2372: Add security note about JNDI injection in NamingInputModule.
Modified:
cocoon/branches/cocoon-2.2.1/core/cocoon-sitemap/cocoon-sitemap-components/src/main/java/org/apache/cocoon/components/modules/input/NamingInputModule.java
Modified: cocoon/branches/cocoon-2.2.1/core/cocoon-sitemap/cocoon-sitemap-components/src/main/java/org/apache/cocoon/components/modules/input/NamingInputModule.java
URL: http://svn.apache.org/viewvc/cocoon/branches/cocoon-2.2.1/core/cocoon-sitemap/cocoon-sitemap-components/src/main/java/org/apache/cocoon/components/modules/input/NamingInputModule.java?rev=1906077&r1=1906076&r2=1906077&view=diff
==============================================================================
--- cocoon/branches/cocoon-2.2.1/core/cocoon-sitemap/cocoon-sitemap-components/src/main/java/org/apache/cocoon/components/modules/input/NamingInputModule.java (original)
+++ cocoon/branches/cocoon-2.2.1/core/cocoon-sitemap/cocoon-sitemap-components/src/main/java/org/apache/cocoon/components/modules/input/NamingInputModule.java Sun Dec 18 21:54:58 2022
@@ -34,7 +34,11 @@ import java.util.Properties;
* <p>This module accept any configuration parameters and passes them as
* properties to the InitialContext. When connecting to the Naming context
* of the server Cocoon is running in, no parameters are required.</p>
- *
+ * <br/>
+ * <p><b>Security note:</b> Use secure parameters only with this module as
+ * it performs a JNDI lookup that can be exploited for remote code execution
+ * (RCE).</p>
+ * <br/>
* <p>Example module configuration when connecting to external WebLogic server:
* <pre>
* <java.naming.factory.initial>weblogic.jndi.WLInitialContextFactory</java.naming.factory.initial>