8244473: Contextualize registration for JNDI

Also reviewed by Chris Ries <chris.ries@oracle.com> Reviewed-by: dfuchs, rriggs, rhalade, skoivu, mullan
2025-08-28 15:24:43 +02:00 · 2020-10-14 14:35:00 +00:00 · 2020-10-14 14:35:00 +00:00 · 17a741d6bc
commit 17a741d6bc
parent f47faf283b
8 changed files with 251 additions and 13 deletions
--- a/src/java.naming/share/classes/com/sun/jndi/ldap/VersionHelper.java
+++ b/src/java.naming/share/classes/com/sun/jndi/ldap/VersionHelper.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -43,21 +43,52 @@ public final class VersionHelper {
     */
    private static final boolean trustURLCodebase;

+    /**
+     * Determines whether objects may be deserialized from the content of
+     * 'javaSerializedData' attribute.
+     */
+    private static final boolean trustSerialData;
+
    static {
        // System property to control whether classes may be loaded from an
        // arbitrary URL code base
-        PrivilegedAction<String> act =
-                () -> System.getProperty("com.sun.jndi.ldap.object.trustURLCodebase", "false");
-        String trust = AccessController.doPrivileged(act);
+        String trust = getPrivilegedProperty(
+                "com.sun.jndi.ldap.object.trustURLCodebase", "false");
        trustURLCodebase = "true".equalsIgnoreCase(trust);
+
+        // System property to control whether classes is allowed to be loaded from
+        // 'javaSerializedData' attribute
+        String trustSerialDataSp = getPrivilegedProperty(
+                "com.sun.jndi.ldap.object.trustSerialData", "true");
+        trustSerialData = "true".equalsIgnoreCase(trustSerialDataSp);
    }

-    private VersionHelper() { }
+    private static String getPrivilegedProperty(String propertyName, String defaultVal) {
+        PrivilegedAction<String> action = () -> System.getProperty(propertyName, defaultVal);
+        if (System.getSecurityManager() == null) {
+            return action.run();
+        } else {
+            return AccessController.doPrivileged(action);
+        }
+    }
+
+    private VersionHelper() {
+    }

    static VersionHelper getVersionHelper() {
        return helper;
    }

+    /**
+     * Returns true if deserialization of objects from 'javaSerializedData'
+     * LDAP attribute is allowed.
+     *
+     * @return true if deserialization is allowed; false - otherwise
+     */
+    public static boolean isSerialDataAllowed() {
+        return trustSerialData;
+    }
+
    ClassLoader getURLClassLoader(String[] url) throws MalformedURLException {
        ClassLoader parent = getContextClassLoader();
        /*