On Wed, 20 Nov 2024 13:06:57 GMT, Aleksei Efimov <aefi...@openjdk.org> wrote:
>> This PR permanently disable remote code downloading in JNDI/LDAP and >> JNDI/RMI JDK providers, and contains the following changes: >> - The following two properties are removed: >> - `com.sun.jndi.ldap.object.trustURLCodebase` >> - `com.sun.jndi.rmi.object.trustURLCodebase` >> - JNDIs object factories logic has been altered to make it possible to >> reconstruct object factories from remote locations when a custom >> [ObjectFactoryBuilder](https://docs.oracle.com/en/java/javase/23/docs/api/java.naming/javax/naming/spi/ObjectFactoryBuilder.html) >> is assigned via the >> [NamingManager#setObjectFactoryBuilder](https://docs.oracle.com/en/java/javase/23/docs/api/java.naming/javax/naming/spi/NamingManager.html#setObjectFactoryBuilder(javax.naming.spi.ObjectFactoryBuilder)) >> API. >> - The `NamingManager` class-level documentation is edited to remove >> references to the `SecurityManager`. It was also revised to clarify a >> reconstruction mechanism of object factories from remote references in the >> presence of a custom `ObjectFactoriesBuilder`. >> - Also, the modified classes have been cleaned-up from `SecurityManager`, >> `doPrivildged`, and `AccessController` usages. >> >> These changes require a CSR that will be submitted soon. >> >> ### Testing >> - Added a new test to check if NamingManager#setObjectFactoryBuilder can be >> used to implement remote code downloading: >> `test/jdk/com/sun/jndi/rmi/registry/objects/ObjectFactoryBuilderCodebaseTest.java` >> - `jdk-tier1` to `jdk-tier3` and other JNDI LDAP/RMI tests show no issue >> with the proposed changes. > > Aleksei Efimov has updated the pull request incrementally with two additional > commits since the last revision: > > - Docs and comments update > - Revert VersionHelper.createThread removal src/jdk.naming.rmi/share/classes/module-info.java line 63: > 61: * <p> Downloading a factory class from a {@linkplain > javax.naming.Reference#getFactoryClassLocation() > 62: * location} specified in the reference can be supported by a custom > implementation of {@link > 63: * javax.naming.spi.ObjectFactoryBuilder}. Unless an {@link > javax.naming.spi.ObjectFactoryBuilder Suggestion: * javax.naming.spi.ObjectFactoryBuilder}. If a location is specified, then * unless an {@link javax.naming.spi.ObjectFactoryBuilder ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/22154#discussion_r1850391901
