File log4j-CVE-2021-44832.patch of Package log4j.openSUSE_Leap_15.2_Update

Overview Repositories Revisions Requests Users Attributes Meta

File log4j-CVE-2021-44832.patch of Package log4j.openSUSE_Leap_15.2_Update

From 05db5f9527254632b59aed2a1d78a32c5ab74f16 Mon Sep 17 00:00:00 2001
From: Gary Gregory <garydgregory@gmail.com>
Date: Mon, 27 Dec 2021 12:42:26 -0500
Subject: [PATCH] Refactor to reuse existing code.

---
 .../db/jdbc/DataSourceConnectionSource.java   | 20 +++++-----
 .../logging/log4j/core/net/JndiManager.java   |  9 ++++-
 .../AbstractJdbcAppenderDataSourceTest.java   | 13 ++++---
 .../db/jdbc/AbstractJdbcDataSourceTest.java   | 39 +++++++++++++++++++
 .../jdbc/DataSourceConnectionSourceTest.java  |  2 +-
 .../JdbcAppenderMapMessageDataSourceTest.java |  2 +-
 .../core/appender/mom/JmsAppenderTest.java    |  3 +-
 .../log4j/core/net/JndiManagerTest.java       |  9 ++++-
 src/site/xdoc/manual/appenders.xml            | 10 +++--
 src/site/xdoc/manual/configuration.xml.vm     | 12 +++++-
 10 files changed, 93 insertions(+), 26 deletions(-)
 create mode 100644 log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/AbstractJdbcDataSourceTest.java

Index: apache-log4j-2.17.0-src/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/jdbc/DataSourceConnectionSource.java
===================================================================
--- apache-log4j-2.17.0-src.orig/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/jdbc/DataSourceConnectionSource.java
+++ apache-log4j-2.17.0-src/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/jdbc/DataSourceConnectionSource.java
@@ -18,8 +18,8 @@ package org.apache.logging.log4j.core.ap
 
 import java.sql.Connection;
 import java.sql.SQLException;
+import java.util.Objects;
 
-import javax.naming.InitialContext;
 import javax.naming.NamingException;
 import javax.sql.DataSource;
 
@@ -28,6 +28,7 @@ import org.apache.logging.log4j.core.Cor
 import org.apache.logging.log4j.core.config.plugins.Plugin;
 import org.apache.logging.log4j.core.config.plugins.PluginAttribute;
 import org.apache.logging.log4j.core.config.plugins.PluginFactory;
+import org.apache.logging.log4j.core.net.JndiManager;
 import org.apache.logging.log4j.status.StatusLogger;
 import org.apache.logging.log4j.util.Strings;
 
@@ -42,7 +43,7 @@ public final class DataSourceConnectionS
 private final String description;
 
 private DataSourceConnectionSource(final String dataSourceName, final DataSource dataSource) {
- this.dataSource = dataSource;
+ this.dataSource = Objects.requireNonNull(dataSource, "dataSource");
 this.description = "dataSource{ name=" + dataSourceName + ", value=" + dataSource + " }";
 }
 
@@ -59,25 +60,26 @@ public final class DataSourceConnectionS
 /**
 * Factory method for creating a connection source within the plugin manager.
 *
- * @param jndiName The full JNDI path where the data source is bound. Should start with java:/comp/env or
- * environment-equivalent.
+ * @param jndiName The full JNDI path where the data source is bound. Must start with java:/comp/env or environment-equivalent.
 * @return the created connection source.
 */
 @PluginFactory
 public static DataSourceConnectionSource createConnectionSource(@PluginAttribute("jndiName") final String jndiName) {
+ if (!JndiManager.isJndiJdbcEnabled()) {
+ LOGGER.error("JNDI must be enabled by setting log4j2.enableJndiJdbc=true");
+ return null;
+ }
 if (Strings.isEmpty(jndiName)) {
 LOGGER.error("No JNDI name provided.");
 return null;
 }
-
 try {
- final InitialContext context = new InitialContext();
- final DataSource dataSource = (DataSource) context.lookup(jndiName);
+ @SuppressWarnings("resource")
+ final DataSource dataSource = JndiManager.getDefaultManager(DataSourceConnectionSource.class.getCanonicalName()).lookup(jndiName);
 if (dataSource == null) {
- LOGGER.error("No data source found with JNDI name [" + jndiName + "].");
+ LOGGER.error("No DataSource found with JNDI name [" + jndiName + "].");
 return null;
 }
-
 return new DataSourceConnectionSource(jndiName, dataSource);
 } catch (final NamingException e) {
 LOGGER.error(e.getMessage(), e);
Index: apache-log4j-2.17.0-src/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
===================================================================
--- apache-log4j-2.17.0-src.orig/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
+++ apache-log4j-2.17.0-src/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
@@ -42,6 +42,11 @@ public class JndiManager extends Abstrac
 private static final String PREFIX = "log4j2.enableJndi";
 private static final String JAVA_SCHEME = "java";
 
+ private static final boolean JNDI_CONTEXT_SELECTOR_ENABLED = isJndiEnabled("ContextSelector");
+ private static final boolean JNDI_JDBC_ENABLED = isJndiEnabled("Jdbc");
+ private static final boolean JNDI_JMS_ENABLED = isJndiEnabled("Jms");
+ private static final boolean JNDI_LOOKUP_ENABLED = isJndiEnabled("Lookup");
+
 private final InitialContext context;
 
 private static boolean isJndiEnabled(final String subKey) {
@@ -49,19 +54,23 @@ public class JndiManager extends Abstrac
 }
 
 public static boolean isJndiEnabled() {
- return isJndiContextSelectorEnabled() || isJndiJmsEnabled() || isJndiLookupEnabled();
+	return isJndiContextSelectorEnabled() || isJndiJdbcEnabled() || isJndiJmsEnabled() || isJndiLookupEnabled();
 }
 
 public static boolean isJndiContextSelectorEnabled() {
- return isJndiEnabled("ContextSelector");
+ return JNDI_CONTEXT_SELECTOR_ENABLED;
+ }
+
+ public static boolean isJndiJdbcEnabled() {
+ return JNDI_JDBC_ENABLED;
 }
 
 public static boolean isJndiJmsEnabled() {
- return isJndiEnabled("Jms");
+ return JNDI_JMS_ENABLED;
 }
 
 public static boolean isJndiLookupEnabled() {
- return isJndiEnabled("Lookup");
+ return JNDI_LOOKUP_ENABLED;
 }
 
 private JndiManager(final String name, final InitialContext context) {
@@ -204,7 +213,7 @@ public class JndiManager extends Abstrac
 }
 LOGGER.warn("Unsupported JNDI URI - {}", name);
 } catch (URISyntaxException ex) {
- LOGGER.warn("Invalid JNDI URI - {}", name);
+ LOGGER.warn("Invalid JNDI URI - {}", name);
 }
 return null;
 }
Index: apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/AbstractJdbcAppenderDataSourceTest.java
===================================================================
--- apache-log4j-2.17.0-src.orig/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/AbstractJdbcAppenderDataSourceTest.java
+++ apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/AbstractJdbcAppenderDataSourceTest.java
@@ -16,12 +16,19 @@
 */
 package org.apache.logging.log4j.core.appender.db.jdbc;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+
 import java.io.ByteArrayOutputStream;
 import java.io.PrintWriter;
 import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
+
 import javax.sql.DataSource;
 
 import org.apache.logging.log4j.LogManager;
@@ -35,14 +42,10 @@ import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.RuleChain;
 
-import static org.junit.Assert.*;
-import static org.mockito.BDDMockito.given;
-import static org.mockito.Mockito.mock;
-
 /**
 * Abstract unit test for JdbcAppender using a {@link DataSource} configuration.
 */
-public abstract class AbstractJdbcAppenderDataSourceTest {
+public abstract class AbstractJdbcAppenderDataSourceTest extends AbstractJdbcDataSourceTest {
 
 @Rule
 public final RuleChain rules;
Index: apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/AbstractJdbcDataSourceTest.java
===================================================================
--- /dev/null
+++ apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/AbstractJdbcDataSourceTest.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache license, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the license for the specific language governing permissions and
+ * limitations under the license.
+ */
+package org.apache.logging.log4j.core.appender.db.jdbc;
+
+import javax.sql.DataSource;
+
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+
+/**
+ * Abstract unit test for JDBC using a {@link DataSource} configuration.
+ */
+public abstract class AbstractJdbcDataSourceTest {
+
+ @AfterClass
+ public static void afterClass() throws Exception {
+ System.clearProperty("log4j2.enableJndiJdbc");
+ }
+
+ @BeforeClass
+ public static void beforeClass() throws Exception {
+ System.setProperty("log4j2.enableJndiJdbc", "true");
+ }
+
+}
Index: apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/DataSourceConnectionSourceTest.java
===================================================================
--- apache-log4j-2.17.0-src.orig/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/DataSourceConnectionSourceTest.java
+++ apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/DataSourceConnectionSourceTest.java
@@ -37,7 +37,7 @@ import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
 
 @RunWith(Parameterized.class)
-public class DataSourceConnectionSourceTest {
+public class DataSourceConnectionSourceTest extends AbstractJdbcDataSourceTest {
 
 @Parameterized.Parameters(name = "{0}")
 public static Object[][] data() {
Index: apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/JdbcAppenderMapMessageDataSourceTest.java
===================================================================
--- apache-log4j-2.17.0-src.orig/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/JdbcAppenderMapMessageDataSourceTest.java
+++ apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/JdbcAppenderMapMessageDataSourceTest.java
@@ -46,7 +46,7 @@ import org.junit.rules.RuleChain;
 /**
 * Unit tests {@link MapMessage}s for JdbcAppender using a {@link DataSource} configuration.
 */
-public class JdbcAppenderMapMessageDataSourceTest {
+public class JdbcAppenderMapMessageDataSourceTest extends AbstractJdbcDataSourceTest {
 
 @Rule
 public final RuleChain rules;
Index: apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java
===================================================================
--- apache-log4j-2.17.0-src.orig/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java
+++ apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java
@@ -48,6 +48,7 @@ import org.apache.logging.log4j.junit.Lo
 import org.apache.logging.log4j.message.Message;
 import org.apache.logging.log4j.message.SimpleMessage;
 import org.apache.logging.log4j.message.StringMapMessage;
+import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Rule;
@@ -84,7 +85,7 @@ public class JmsAppenderTest {
 @Rule
 public RuleChain rules = RuleChain.outerRule(jndiRule).around(ctx);
 
- @BeforeClass
+ @AfterClass
 public static void afterClass() throws Exception {
 System.clearProperty("log4j2.enableJndiJms");
 }
Index: apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/net/JndiManagerTest.java
===================================================================
--- apache-log4j-2.17.0-src.orig/log4j-core/src/test/java/org/apache/logging/log4j/core/net/JndiManagerTest.java
+++ apache-log4j-2.17.0-src/log4j-core/src/test/java/org/apache/logging/log4j/core/net/JndiManagerTest.java
@@ -30,13 +30,18 @@ import org.junit.jupiter.api.Test;
 public class JndiManagerTest {
 
 @Test
+ public void testIsJndiContextSelectorEnabled() {
+ assertFalse(JndiManager.isJndiContextSelectorEnabled());
+ }
+
+ @Test
 public void testIsJndiEnabled() {
 assertFalse(JndiManager.isJndiEnabled());
 }
 
 @Test
- public void testIsJndiContextSelectorEnabled() {
- assertFalse(JndiManager.isJndiContextSelectorEnabled());
+ public void testIsJndiJdbcEnabled() {
+ assertFalse(JndiManager.isJndiJdbcEnabled());
 }
 
 @Test
Index: apache-log4j-2.17.0-src/src/site/xdoc/manual/appenders.xml
===================================================================
--- apache-log4j-2.17.0-src.orig/src/site/xdoc/manual/appenders.xml
+++ apache-log4j-2.17.0-src/src/site/xdoc/manual/appenders.xml
@@ -995,9 +995,13 @@ CREATE TABLE logs (
 </subsection>
 <a name="JDBCAppender"/>
 <subsection name="JDBCAppender">
- The JDBCAppender writes log events to a relational database table using standard JDBC. It can be configured
- to obtain JDBC connections using a JNDI <code>DataSource</code> or a custom factory method. Whichever
- approach you take, it must be backed by a connection pool. Otherwise, logging
+ The JDBC Appender writes log events to a relational database table using standard JDBC. It can be configured
+ to obtain JDBC connections using a JNDI <code>DataSource</code> or a custom factory method.
+ The JDBC Appender configured with a <code>DataSource</code> requires JNDI support so as of release 2.17.1 
+ this appender will not function unless <code>log4j2.enableJndiJdbc=true</code> is configured as a system property 
+ or environment variable. See the <a href="./configuration.html#enableJndiJdbc">enableJndiJdbc</a> system property.
+ 
+ Whichever approach you take, it must be backed by a connection pool. Otherwise, logging
 performance will suffer greatly. If batch statements are supported by the configured JDBC driver and a
 <code>bufferSize</code> is configured to be a positive number, then log events will be batched. Note that as
 of Log4j 2.8, there are two ways to configure log event to column mappings: the original <code>ColumnConfig</code>
Index: apache-log4j-2.17.0-src/src/site/xdoc/manual/configuration.xml.vm
===================================================================
--- apache-log4j-2.17.0-src.orig/src/site/xdoc/manual/configuration.xml.vm
+++ apache-log4j-2.17.0-src/src/site/xdoc/manual/configuration.xml.vm
@@ -2157,11 +2157,19 @@ public class AwesomeTest {
 </td>
 </tr>
 <tr>
+ <td><a name="enableJndiJdbc"/>log4j2.enableJndiJdbc</td>
+ <td>LOG4J_ENABLE_JNDI_JDBC</td>
+ <td>false</td>
+ <td>
+ When true, a Log4j JDBC Appender configured with a <code>DataSource</code> which uses JNDI's java protocol is enabled. When false, the default, they are disabled.
+ </td>
+ </tr>
+ <tr>
 <td><a name="enableJndiJms"/>log4j2.enableJndiJms</td>
 <td>LOG4J_ENABLE_JNDI_JMS</td>
 <td>false</td>
 <td>
- When true, the Log4j JMS Appender that uses JNDI's java protocol is enabled. When false, the default, they are disabled.
+ When true, a Log4j JMS Appender that uses JNDI's java protocol is enabled. When false, the default, they are disabled.
 </td>
 </tr>
 <tr>
@@ -2169,7 +2177,7 @@ public class AwesomeTest {
 <td>LOG4J_ENABLE_JNDI_LOOKUP</td>
 <td>false</td>
 <td>
- When true, the Log4j lookup that uses JNDI's java protocol is enabled. When false, the default, they are disabled.
+ When true, a Log4j lookup that uses JNDI's java protocol is enabled. When false, the default, they are disabled.
 </td>
 </tr>
 <tr>

Places

File log4j-CVE-2021-44832.patch of Package log4j.openSUSE_Leap_15.2_Update

Places