cshannon opened a new pull request, #1910: URL: https://github.com/apache/activemq/pull/1910
This adds a new system property to control which protocol types are valid for loading resources using the XBeanBrokerFactory. By default only file and classpath resources can be loaded. The goal of this is to prevent possible future security issues by hardening what is allowed to be loaded by default. There have been a lot of previous CVEs reported that were made possible by allowing remoting loading of Spring contexts (ie using http) so this will help stop any future vulnerabilities from being discovered but just no longer allowing that out of the box. This PR does the following: 1. Restrict which URL protocols can be used to load resources by the `XBeanBrokerFactory` (and vm transport that uses it) with classpath and file allowed by default. 2. This adds a new property that users can set to control what is allowed: `org.apache.activemq.xbean.broker.factory.XBEAN_BROKER_FACTORY_PROTOCOLS` 3. The default is set to `classpath,file `so we only allow those resources. `*`can be used to allow all and empty string to allow none. 4. The default behavior of the order that resources are tried is preserved like before. A URL is always tired first as a file on the file system to see if it is found, then it checks if it's a URI, and lastly falls back to classpath. This still happens assuming the configuration allows it (ie file or classpath could be skipped if either or both are not allowed) 5. It loads correctly both file or classpath using either the fully qualified prefix or not (just like before) 6. I added a ton of unit tests, including full code coverage for the Utils class which does all the loading and validation. Closes #1899 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information, visit: https://activemq.apache.org/contact
