You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@karaf.apache.org by jb...@apache.org on 2022/10/07 08:39:39 UTC

[karaf] branch karaf-4.3.x updated: [KARAF-7568] Add JDBC scheme verification in JDBCUtils

This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch karaf-4.3.x
in repository https://gitbox.apache.org/repos/asf/karaf.git


The following commit(s) were added to refs/heads/karaf-4.3.x by this push:
     new 2a933445d1 [KARAF-7568] Add JDBC scheme verification in JDBCUtils
2a933445d1 is described below

commit 2a933445d1ae3dd22acf17a4f720f01ea98159a3
Author: Jean-Baptiste Onofré <jb...@apache.org>
AuthorDate: Thu Oct 6 07:46:14 2022 +0200

    [KARAF-7568] Add JDBC scheme verification in JDBCUtils
    
    (cherry picked from commit 3819f4834192f0f38f5ffef1ca8ea165a80eb8f0)
---
 .../main/java/org/apache/karaf/jaas/modules/jdbc/JDBCUtils.java   | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/jdbc/JDBCUtils.java b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/jdbc/JDBCUtils.java
index 5be25b0604..c5f76dad19 100644
--- a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/jdbc/JDBCUtils.java
+++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/jdbc/JDBCUtils.java
@@ -15,6 +15,8 @@
  */
 package org.apache.karaf.jaas.modules.jdbc;
 
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
@@ -58,6 +60,12 @@ public final class JDBCUtils {
             throw new Exception("Illegal datasource url format. Datasource URL cannot be null or empty.");
         } else if (url.startsWith(JNDI)) {
             String jndiName = url.substring(JNDI.length());
+            // secure JNDI scheme
+            URI uri = new URI(jndiName);
+            String scheme = uri.getScheme();
+            if (scheme == null || scheme.equals("java")) {
+                throw new Exception("Unsupported JNDI URI: " + jndiName);
+            }
             InitialContext ic = new InitialContext();
             try {
                 return ic.lookup(jndiName);