-
CSR
-
Resolution: Withdrawn
-
P3
-
None
-
behavioral
-
medium
-
Applications that rely on deserialization of Java objects or reconstruction of RMI stubs from LDAP attributes (RFC 2713) would need to set the 'com.sun.jndi.ldap.object.trustSerialData' system property to 'true'.
-
System or security property
-
JDK
Summary
Update the default value of the 'com.sun.jndi.ldap.object.trustSerialData' system property to "false", and extend its scope to cover the reconstruction of RMI remote objects from the deprecated 'javaRemoteLocation' LDAP attribute.
Problem
The LDAP Naming Service Provider implemented an default settings to control the reconstruction of Java objects from different LDAP attributes. It only controlled the process from "javaSerializedData", but not "javaRemoteLocation". By default, the value of "com.sun.jndi.ldap.object.trustSerialData" is turned on.
Solution
We propose to switch the default value of this property to disable deserialization from LDAP attributes by default, and extend its scope to also cover the reconstruction of RMI remote objects from the deprecated 'javaRemoteLocation' LDAP attribute. With this new setting transparent deserialization of Java object from an LDAP context will require an explicit opt-in:
Switch the default value of the 'com.sun.jndi.ldap.object.trustSerialData' system property to "false". Extend the scope of the property to also cover the reconstruction of RMI remote objects from the deprecated 'javaRemoteLocation' LDAP attribute.
Specification
Change default value of com.sun.jndi.ldap.object.trustSerialData in java.naming/share/classes/com/sun/jndi/ldap/VersionHelper12.java.
Before the change,
static {
// System property to control whether classes may be loaded from an
// arbitrary URL code base
String trust = getPrivilegedProperty(
"com.sun.jndi.ldap.object.trustURLCodebase", "false");
trustURLCodebase = "true".equalsIgnoreCase(trust);
// System property to control whether classes are allowed to be loaded from
// 'javaSerializedData', 'javaRemoteLocation' or 'javaReferenceAddress' attributes.
String trustSerialDataSp = getPrivilegedProperty(
"com.sun.jndi.ldap.object.trustSerialData", "true");
trustSerialData = "true".equalsIgnoreCase(trustSerialDataSp);
}
After the change,
static {
// System property to control whether classes may be loaded from an
// arbitrary URL code base
String trust = getPrivilegedProperty(
"com.sun.jndi.ldap.object.trustURLCodebase", "false");
trustURLCodebase = "true".equalsIgnoreCase(trust);
// System property to control whether classes are allowed to be loaded from
// 'javaSerializedData', 'javaRemoteLocation' or 'javaReferenceAddress' attributes.
String trustSerialDataSp = getPrivilegedProperty(
"com.sun.jndi.ldap.object.trustSerialData", "false");
trustSerialData = "true".equalsIgnoreCase(trustSerialDataSp);
}
- csr of
-
JDK-8347036 Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
-
- Resolved
-