Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:GA
log4j.22289
log4j-CVE-2021-44832.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File log4j-CVE-2021-44832.patch of Package log4j.22289
From 05db5f9527254632b59aed2a1d78a32c5ab74f16 Mon Sep 17 00:00:00 2001 From: Gary Gregory <garydgregory@gmail.com> Date: Mon, 27 Dec 2021 12:42:26 -0500 Subject: [PATCH] Refactor to reuse existing code. --- .../db/jdbc/DataSourceConnectionSource.java | 20 +++++----- .../logging/log4j/core/net/JndiManager.java | 9 ++++- .../AbstractJdbcAppenderDataSourceTest.java | 13 ++++--- .../db/jdbc/AbstractJdbcDataSourceTest.java | 39 +++++++++++++++++++ .../jdbc/DataSourceConnectionSourceTest.java | 2 +- .../JdbcAppenderMapMessageDataSourceTest.java | 2 +- .../core/appender/mom/JmsAppenderTest.java | 3 +- .../log4j/core/net/JndiManagerTest.java | 9 ++++- src/site/xdoc/manual/appenders.xml | 10 +++-- src/site/xdoc/manual/configuration.xml.vm | 12 +++++- 10 files changed, 93 insertions(+), 26 deletions(-) create mode 100644 log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/AbstractJdbcDataSourceTest.java Index: apache-log4j-2.17.0-src/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/jdbc/DataSourceConnectionSource.java =================================================================== --- apache-log4j-2.17.0-src.orig/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/jdbc/DataSourceConnectionSource.java +++ apache-log4j-2.17.0-src/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/jdbc/DataSourceConnectionSource.java @@ -18,8 +18,8 @@ package org.apache.logging.log4j.core.ap import java.sql.Connection; import java.sql.SQLException; +import java.util.Objects; -import javax.naming.InitialContext; import javax.naming.NamingException; import javax.sql.DataSource; @@ -28,6 +28,7 @@ import org.apache.logging.log4j.core.Cor import org.apache.logging.log4j.core.config.plugins.Plugin; import org.apache.logging.log4j.core.config.plugins.PluginAttribute; import org.apache.logging.log4j.core.config.plugins.PluginFactory; +import org.apache.logging.log4j.core.net.JndiManager; import org.apache.logging.log4j.status.StatusLogger; import org.apache.logging.log4j.util.Strings; @@ -42,7 +43,7 @@ public final class DataSourceConnectionS private final String description; private DataSourceConnectionSource(final String dataSourceName, final DataSource dataSource) { - this.dataSource = dataSource; + this.dataSource = Objects.requireNonNull(dataSource, "dataSource"); this.description = "dataSource{ name=" + dataSourceName + ", value=" + dataSource + " }"; } @@ -59,25 +60,26 @@ public final class DataSourceConnectionS /** * Factory method for creating a connection source within the plugin manager. * - * @param jndiName The full JNDI path where the data source is bound. Should start with java:/comp/env or - * environment-equivalent. + * @param jndiName The full JNDI path where the data source is bound. Must start with java:/comp/env or environment-equivalent. * @return the created connection source. */ @PluginFactory public static DataSourceConnectionSource createConnectionSource(@PluginAttribute("jndiName") final String jndiName) { + if (!JndiManager.isJndiJdbcEnabled()) { + LOGGER.error("JNDI must be enabled by setting log4j2.enableJndiJdbc=true"); + return null; + } if (Strings.isEmpty(jndiName)) { LOGGER.error("No JNDI name provided."); return null; } - try { - final InitialContext context = new InitialContext(); - final DataSource dataSource = (DataSource) context.lookup(jndiName); + @SuppressWarnings("resource") + final DataSource dataSource = JndiManager.getDefaultManager(DataSourceConnectionSource.class.getCanonicalName()).lookup(jndiName); if (dataSource == null) { - LOGGER.error("No data source found with JNDI name [" + jndiName + "]."); + LOGGER.error("No DataSource found with JNDI name [" + jndiName + "]."); return null; } - return new DataSourceConnectionSource(jndiName, dataSource); } catch (final NamingException e) { LOGGER.error(e.getMessage(), e); Index: apache-log4j-2.17.0-src/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java =================================================================== --- apache-log4j-2.17.0-src.orig/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java +++ apache-log4j-2.17.0-src/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java @@ -42,6 +42,11 @@ public class JndiManager extends Abstrac private static final String PREFIX = "log4j2.enableJndi"; private static final String JAVA_SCHEME = "java"; + private static final boolean JNDI_CONTEXT_SELECTOR_ENABLED = isJndiEnabled("ContextSelector"); + private static final boolean JNDI_JDBC_ENABLED = isJndiEnabled("Jdbc"); + private static final boolean JNDI_JMS_ENABLED = isJndiEnabled("Jms"); + private static final boolean JNDI_LOOKUP_ENABLED = isJndiEnabled("Lookup"); + private final InitialContext context; private static boolean isJndiEnabled(final String subKey) { @@ -49,19 +54,23 @@ public class JndiManager extends Abstrac } public static boolean isJndiEnabled() { - return isJndiContextSelectorEnabled() || isJndiJmsEnabled() || isJndiLookupEnabled(); + return isJndiContextSelectorEnabled() || isJndiJdbcEnabled() || isJndiJmsEnabled() || isJndiLookupEnabled(); } public static boolean isJndiContextSelectorEnabled() { - return isJndiEnabled("ContextSelector"); + return JNDI_CONTEXT_SELECTOR_ENABLED; + } + + public static boolean isJndiJdbcEnabled() { + return JNDI_JDBC_ENABLED; } public static boolean isJndiJmsEnabled() { - return isJndiEnabled("Jms"); + return JNDI_JMS_ENABLED; } public static boolean isJndiLookupEnabled() { - return isJndiEnabled("Lookup"); + return JNDI_LOOKUP_ENABLED; } private JndiManager(final String name, final InitialContext context) { @@ -204,7 +213,7 @@ public class JndiManager extends Abstrac } LOGGER.warn("Unsupported JNDI URI - {}", name); } catch (URISyntaxException ex) { - LOGGER.warn("Invalid JNDI URI - {}", name); + LOGGER.warn("Invalid JNDI URI - {}", name); } return null; } Index: apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/AbstractJdbcAppenderDataSourceTest.java =================================================================== --- apache-log4j-2.17.0-src.orig/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/AbstractJdbcAppenderDataSourceTest.java +++ apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/AbstractJdbcAppenderDataSourceTest.java @@ -16,12 +16,19 @@ */ package org.apache.logging.log4j.core.appender.db.jdbc; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import static org.mockito.BDDMockito.given; +import static org.mockito.Mockito.mock; + import java.io.ByteArrayOutputStream; import java.io.PrintWriter; import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; + import javax.sql.DataSource; import org.apache.logging.log4j.LogManager; @@ -35,14 +42,10 @@ import org.junit.Rule; import org.junit.Test; import org.junit.rules.RuleChain; -import static org.junit.Assert.*; -import static org.mockito.BDDMockito.given; -import static org.mockito.Mockito.mock; - /** * Abstract unit test for JdbcAppender using a {@link DataSource} configuration. */ -public abstract class AbstractJdbcAppenderDataSourceTest { +public abstract class AbstractJdbcAppenderDataSourceTest extends AbstractJdbcDataSourceTest { @Rule public final RuleChain rules; Index: apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/AbstractJdbcDataSourceTest.java =================================================================== --- /dev/null +++ apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/AbstractJdbcDataSourceTest.java @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache license, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the license for the specific language governing permissions and + * limitations under the license. + */ +package org.apache.logging.log4j.core.appender.db.jdbc; + +import javax.sql.DataSource; + +import org.junit.AfterClass; +import org.junit.BeforeClass; + +/** + * Abstract unit test for JDBC using a {@link DataSource} configuration. + */ +public abstract class AbstractJdbcDataSourceTest { + + @AfterClass + public static void afterClass() throws Exception { + System.clearProperty("log4j2.enableJndiJdbc"); + } + + @BeforeClass + public static void beforeClass() throws Exception { + System.setProperty("log4j2.enableJndiJdbc", "true"); + } + +} Index: apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/DataSourceConnectionSourceTest.java =================================================================== --- apache-log4j-2.17.0-src.orig/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/DataSourceConnectionSourceTest.java +++ apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/DataSourceConnectionSourceTest.java @@ -37,7 +37,7 @@ import org.junit.runner.RunWith; import org.junit.runners.Parameterized; @RunWith(Parameterized.class) -public class DataSourceConnectionSourceTest { +public class DataSourceConnectionSourceTest extends AbstractJdbcDataSourceTest { @Parameterized.Parameters(name = "{0}") public static Object[][] data() { Index: apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/JdbcAppenderMapMessageDataSourceTest.java =================================================================== --- apache-log4j-2.17.0-src.orig/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/JdbcAppenderMapMessageDataSourceTest.java +++ apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/JdbcAppenderMapMessageDataSourceTest.java @@ -46,7 +46,7 @@ import org.junit.rules.RuleChain; /** * Unit tests {@link MapMessage}s for JdbcAppender using a {@link DataSource} configuration. */ -public class JdbcAppenderMapMessageDataSourceTest { +public class JdbcAppenderMapMessageDataSourceTest extends AbstractJdbcDataSourceTest { @Rule public final RuleChain rules; Index: apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java =================================================================== --- apache-log4j-2.17.0-src.orig/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java +++ apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java @@ -48,6 +48,7 @@ import org.apache.logging.log4j.junit.Lo import org.apache.logging.log4j.message.Message; import org.apache.logging.log4j.message.SimpleMessage; import org.apache.logging.log4j.message.StringMapMessage; +import org.junit.AfterClass; import org.junit.Before; import org.junit.BeforeClass; import org.junit.Rule; @@ -84,7 +85,7 @@ public class JmsAppenderTest { @Rule public RuleChain rules = RuleChain.outerRule(jndiRule).around(ctx); - @BeforeClass + @AfterClass public static void afterClass() throws Exception { System.clearProperty("log4j2.enableJndiJms"); } Index: apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/net/JndiManagerTest.java =================================================================== --- apache-log4j-2.17.0-src.orig/log4j-core/src/test/java/org/apache/logging/log4j/core/net/JndiManagerTest.java +++ apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/net/JndiManagerTest.java @@ -30,13 +30,18 @@ import org.junit.jupiter.api.Test; public class JndiManagerTest { @Test + public void testIsJndiContextSelectorEnabled() { + assertFalse(JndiManager.isJndiContextSelectorEnabled()); + } + + @Test public void testIsJndiEnabled() { assertFalse(JndiManager.isJndiEnabled()); } @Test - public void testIsJndiContextSelectorEnabled() { - assertFalse(JndiManager.isJndiContextSelectorEnabled()); + public void testIsJndiJdbcEnabled() { + assertFalse(JndiManager.isJndiJdbcEnabled()); } @Test Index: apache-log4j-2.17.0-src/src/site/xdoc/manual/appenders.xml =================================================================== --- apache-log4j-2.17.0-src.orig/src/site/xdoc/manual/appenders.xml +++ apache-log4j-2.17.0-src/src/site/xdoc/manual/appenders.xml @@ -995,9 +995,13 @@ CREATE TABLE logs ( </subsection> <a name="JDBCAppender"/> <subsection name="JDBCAppender"> - <p>The JDBCAppender writes log events to a relational database table using standard JDBC. It can be configured - to obtain JDBC connections using a JNDI <code>DataSource</code> or a custom factory method. Whichever - approach you take, it <strong><em>must</em></strong> be backed by a connection pool. Otherwise, logging + <p>The JDBC Appender writes log events to a relational database table using standard JDBC. It can be configured + to obtain JDBC connections using a JNDI <code>DataSource</code> or a custom factory method.</p> + <p>The JDBC Appender configured with a <code>DataSource</code> requires JNDI support so as of release 2.17.1 + this appender will not function unless <code>log4j2.enableJndiJdbc=true</code> is configured as a system property + or environment variable. See the <a href="./configuration.html#enableJndiJdbc">enableJndiJdbc</a> system property.</p> + <p> + Whichever approach you take, it <strong><em>must</em></strong> be backed by a connection pool. Otherwise, logging performance will suffer greatly. If batch statements are supported by the configured JDBC driver and a <code>bufferSize</code> is configured to be a positive number, then log events will be batched. Note that as of Log4j 2.8, there are two ways to configure log event to column mappings: the original <code>ColumnConfig</code> Index: apache-log4j-2.17.0-src/src/site/xdoc/manual/configuration.xml.vm =================================================================== --- apache-log4j-2.17.0-src.orig/src/site/xdoc/manual/configuration.xml.vm +++ apache-log4j-2.17.0-src/src/site/xdoc/manual/configuration.xml.vm @@ -2157,11 +2157,19 @@ public class AwesomeTest { </td> </tr> <tr> + <td><a name="enableJndiJdbc"/>log4j2.enableJndiJdbc</td> + <td>LOG4J_ENABLE_JNDI_JDBC</td> + <td>false</td> + <td> + When true, a Log4j JDBC Appender configured with a <code>DataSource</code> which uses JNDI's java protocol is enabled. When false, the default, they are disabled. + </td> + </tr> + <tr> <td><a name="enableJndiJms"/>log4j2.enableJndiJms</td> <td>LOG4J_ENABLE_JNDI_JMS</td> <td>false</td> <td> - When true, the Log4j JMS Appender that uses JNDI's java protocol is enabled. When false, the default, they are disabled. + When true, a Log4j JMS Appender that uses JNDI's java protocol is enabled. When false, the default, they are disabled. </td> </tr> <tr> @@ -2169,7 +2177,7 @@ public class AwesomeTest { <td>LOG4J_ENABLE_JNDI_LOOKUP</td> <td>false</td> <td> - When true, the Log4j lookup that uses JNDI's java protocol is enabled. When false, the default, they are disabled. + When true, a Log4j lookup that uses JNDI's java protocol is enabled. When false, the default, they are disabled. </td> </tr> <tr>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor