You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2022/10/07 08:39:39 UTC
[karaf] branch karaf-4.3.x updated: [KARAF-7568] Add JDBC scheme verification in JDBCUtils
This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch karaf-4.3.x
in repository https://gitbox.apache.org/repos/asf/karaf.git
The following commit(s) were added to refs/heads/karaf-4.3.x by this push:
new 2a933445d1 [KARAF-7568] Add JDBC scheme verification in JDBCUtils
2a933445d1 is described below
commit 2a933445d1ae3dd22acf17a4f720f01ea98159a3
Author: Jean-Baptiste Onofré <jb...@apache.org>
AuthorDate: Thu Oct 6 07:46:14 2022 +0200
[KARAF-7568] Add JDBC scheme verification in JDBCUtils
(cherry picked from commit 3819f4834192f0f38f5ffef1ca8ea165a80eb8f0)
---
.../main/java/org/apache/karaf/jaas/modules/jdbc/JDBCUtils.java | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/jdbc/JDBCUtils.java b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/jdbc/JDBCUtils.java
index 5be25b0604..c5f76dad19 100644
--- a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/jdbc/JDBCUtils.java
+++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/jdbc/JDBCUtils.java
@@ -15,6 +15,8 @@
*/
package org.apache.karaf.jaas.modules.jdbc;
+import java.net.URI;
+import java.net.URISyntaxException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
@@ -58,6 +60,12 @@ public final class JDBCUtils {
throw new Exception("Illegal datasource url format. Datasource URL cannot be null or empty.");
} else if (url.startsWith(JNDI)) {
String jndiName = url.substring(JNDI.length());
+ // secure JNDI scheme
+ URI uri = new URI(jndiName);
+ String scheme = uri.getScheme();
+ if (scheme == null || scheme.equals("java")) {
+ throw new Exception("Unsupported JNDI URI: " + jndiName);
+ }
InitialContext ic = new InitialContext();
try {
return ic.lookup(jndiName);