Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8348288

Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Withdrawn
    • Icon: P3 P3
    • 8-pool
    • core-libs
    • None
    • behavioral
    • medium
    • Applications that rely on deserialization of Java objects or reconstruction of RMI stubs from LDAP attributes (RFC 2713) would need to set the 'com.sun.jndi.ldap.object.trustSerialData' system property to 'true'.
    • System or security property
    • JDK

      Summary

      Update the default value of the 'com.sun.jndi.ldap.object.trustSerialData' system property to "false", and extend its scope to cover the reconstruction of RMI remote objects from the deprecated 'javaRemoteLocation' LDAP attribute.

      Problem

      The LDAP Naming Service Provider implemented an default settings to control the reconstruction of Java objects from different LDAP attributes. It only controlled the process from "javaSerializedData", but not "javaRemoteLocation". By default, the value of "com.sun.jndi.ldap.object.trustSerialData" is turned on.

      Solution

      We propose to switch the default value of this property to disable deserialization from LDAP attributes by default, and extend its scope to also cover the reconstruction of RMI remote objects from the deprecated 'javaRemoteLocation' LDAP attribute. With this new setting transparent deserialization of Java object from an LDAP context will require an explicit opt-in:

      Switch the default value of the 'com.sun.jndi.ldap.object.trustSerialData' system property to "false". Extend the scope of the property to also cover the reconstruction of RMI remote objects from the deprecated 'javaRemoteLocation' LDAP attribute.

      Specification

      Change default value of com.sun.jndi.ldap.object.trustSerialData in java.naming/share/classes/com/sun/jndi/ldap/VersionHelper12.java.

      Before the change,

      static  {
      // System property to control whether classes may be loaded from an
      // arbitrary URL code base
      String trust = getPrivilegedProperty(
              "com.sun.jndi.ldap.object.trustURLCodebase", "false");
      trustURLCodebase = "true".equalsIgnoreCase(trust);
      
      // System property to control whether classes are allowed to be loaded from
      // 'javaSerializedData', 'javaRemoteLocation' or 'javaReferenceAddress' attributes.
      String trustSerialDataSp = getPrivilegedProperty(
              "com.sun.jndi.ldap.object.trustSerialData", "true");
      trustSerialData = "true".equalsIgnoreCase(trustSerialDataSp);

      }

      After the change,

      static  {
      // System property to control whether classes may be loaded from an
      // arbitrary URL code base
      String trust = getPrivilegedProperty(
              "com.sun.jndi.ldap.object.trustURLCodebase", "false");
      trustURLCodebase = "true".equalsIgnoreCase(trust);
      
      // System property to control whether classes are allowed to be loaded from
      // 'javaSerializedData', 'javaRemoteLocation' or 'javaReferenceAddress' attributes.
      String trustSerialDataSp = getPrivilegedProperty(
              "com.sun.jndi.ldap.object.trustSerialData", "false");
      trustSerialData = "true".equalsIgnoreCase(trustSerialDataSp);

      }

            wxiao Weibing Xiao
            aefimov Aleksej Efimov
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: