Prohibit JNDI remote invoke

2021-12-11 10:28:02 +08:00
parent bcb29ef792
commit 5ffbd16800
1 changed files with 3 additions and 0 deletions
--- a/HMCLCore/src/main/java/org/jackhuang/hmcl/launch/DefaultLauncher.java
+++ b/HMCLCore/src/main/java/org/jackhuang/hmcl/launch/DefaultLauncher.java
@@ -181,6 +181,9 @@ public class DefaultLauncher extends Launcher {

            // Fix RCE vulnerability of log4j2
            res.addDefault("-Dlog4j2.formatMsgNoLookups=", "true");
+            res.addDefault("-Djava.rmi.server.useCodebaseOnly=", "true");
+            res.addDefault("-Dcom.sun.jndi.rmi.object.trustURLCodebase=", "false");
+            res.addDefault("-Dcom.sun.jndi.cosnaming.object.trustURLCodebase=", "false");
        }

        Proxy proxy = options.getProxy();