From 5ffbd168005c706fbefb62765caef4e6bf0eac8f Mon Sep 17 00:00:00 2001
From: Glavo <zjx001202@gmail.com>
Date: Sat, 11 Dec 2021 10:28:02 +0800
Subject: [PATCH] Prohibit JNDI remote invoke

---
 .../main/java/org/jackhuang/hmcl/launch/DefaultLauncher.java   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/HMCLCore/src/main/java/org/jackhuang/hmcl/launch/DefaultLauncher.java b/HMCLCore/src/main/java/org/jackhuang/hmcl/launch/DefaultLauncher.java
index 57c153fa9..a24ee34af 100644
--- a/HMCLCore/src/main/java/org/jackhuang/hmcl/launch/DefaultLauncher.java
+++ b/HMCLCore/src/main/java/org/jackhuang/hmcl/launch/DefaultLauncher.java
@@ -181,6 +181,9 @@ public class DefaultLauncher extends Launcher {
 
             // Fix RCE vulnerability of log4j2
             res.addDefault("-Dlog4j2.formatMsgNoLookups=", "true");
+            res.addDefault("-Djava.rmi.server.useCodebaseOnly=", "true");
+            res.addDefault("-Dcom.sun.jndi.rmi.object.trustURLCodebase=", "false");
+            res.addDefault("-Dcom.sun.jndi.cosnaming.object.trustURLCodebase=", "false");
         }
 
         Proxy proxy = options.getProxy();