-
Enhancement
-
Resolution: Fixed
-
P4
-
24
-
b26
Remote code downloading in JNDI has been disabled by default since 8u121.
Two system properties were introduced at the time to allow to selectively reenable remote code downloading in JNDI/LDAP and JNDI/RMI.
With the deprecation and upcoming removal of the SecurityManager (see JEP 411: https://openjdk.org/jeps/411), this enhancement proposes to remove these two properties and permanently disable remote code downloading in JNDI/LDAP and JNDI/RMI.
The two properties proposed for removal are `com.sun.jndi.rmi.object.trustURLCodebase` and `com.sun.jndi.ldap.object.trustURLCodebase`.
Two system properties were introduced at the time to allow to selectively reenable remote code downloading in JNDI/LDAP and JNDI/RMI.
With the deprecation and upcoming removal of the SecurityManager (see JEP 411: https://openjdk.org/jeps/411), this enhancement proposes to remove these two properties and permanently disable remote code downloading in JNDI/LDAP and JNDI/RMI.
The two properties proposed for removal are `com.sun.jndi.rmi.object.trustURLCodebase` and `com.sun.jndi.ldap.object.trustURLCodebase`.
- csr for
-
JDK-8338537 Permanently disable remote code downloading in JNDI
- Closed
- relates to
-
JDK-8264713 JEP 411: Deprecate the Security Manager for Removal
- Closed
- links to
-
Commit(master) openjdk/jdk/cee74f9e
-
Review(master) openjdk/jdk/22154