fix Fix CVE-2021-4104 aka issue REL-2)

Signed-off-by: Ceki Gulcu <ceki@qos.ch>

Author: ceki

src/main/java/org/apache/log4j/net/JMSAppender.java

@@ -32,7 +32,6 @@
 import javax.jms.TopicSession;
 import javax.naming.Context;
 import javax.naming.InitialContext;
-import javax.naming.NameNotFoundException;
 import javax.naming.NamingException;
 import java.util.Properties;
 
@@ -233,12 +232,12 @@ public void activateOptions() {
 	}
 
 	protected Object lookup(Context ctx, String name) throws NamingException {
-		try {
-			return ctx.lookup(name);
-		} catch (NameNotFoundException e) {
-			LogLog.error("Could not find name [" + name + "].");
-			throw e;
+		Object result = JNDIUtil.lookupObject(ctx, name);
+		if (result == null) {
+			String msg = "Could not find name [" + name + "].";
+			throw new NamingException(msg);
 		}
+		return result;
 	}
 
 	protected boolean checkEntryConditions() {

src/main/java/org/apache/log4j/net/JNDIUtil.java

@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.log4j.net;
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+
+public class JNDIUtil {
+
+	// See https://jakarta.ee/specifications/platform/8/platform-spec-8.html#a616
+	// there are the java:comp, java:module, java:app, java:global namespaces
+	public static final String JNDI_JAVA_NAMESPACE = "java:";
+
+	static final String RESTRICTION_MSG = "JNDI name must start with " + JNDI_JAVA_NAMESPACE + " but was ";
+
+	public static Object lookupObject(Context ctx, String name) throws NamingException {
+		if (ctx == null) {
+			return null;
+		}
+
+		if (isNullOrEmpty(name)) {
+			return null;
+		}
+
+		jndiNameSecurityCheck(name);
+
+		Object lookup = ctx.lookup(name);
+		return lookup;
+	}
+
+	private static boolean isNullOrEmpty(String str) {
+		return ((str == null) || str.trim().length() == 0);
+	}
+
+	public static void jndiNameSecurityCheck(String name) throws NamingException {
+		if (!name.startsWith(JNDI_JAVA_NAMESPACE)) {
+			throw new NamingException(RESTRICTION_MSG + name);
+		}
+	}
+	
+	// used for testing 
+	static Context getInitialContext() throws NamingException {
+        return new InitialContext();
+    }
+}

src/test/java/org/apache/log4j/net/JNDIUtilTest.java

@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.log4j.net;
+
+import static org.junit.Assert.fail;
+
+import javax.naming.Context;
+import javax.naming.NamingException;
+
+import org.junit.Test;
+
+
+/**
+ * Test copied form the logback project with permission.
+ * 
+ * @author Ceki Gulcu
+ *
+ */
+public class JNDIUtilTest {
+
+	@Test
+	public void ensureJavaNameSpace() throws NamingException {
+
+		try {
+			Context ctxt = JNDIUtil.getInitialContext();
+			JNDIUtil.lookupObject(ctxt, "ldap:...");
+		} catch (NamingException e) {
+			String excaptionMsg = e.getMessage();
+			if (excaptionMsg.startsWith(JNDIUtil.RESTRICTION_MSG))
+				return;
+			else {
+				fail("unexpected exception " + e);
+			}
+		}
+
+		fail("Should aNot yet implemented");
+	}
+
+
+}