On Fri, 15 Nov 2024 17:03:50 GMT, Aleksei Efimov <aefi...@openjdk.org> wrote:
> This PR permanently disable remote code downloading in JNDI/LDAP and JNDI/RMI > JDK providers, and contains the following changes: > - The following two properties are removed: > - `com.sun.jndi.ldap.object.trustURLCodebase` > - `com.sun.jndi.rmi.object.trustURLCodebase` > - JNDIs object factories logic has been altered to make it possible to > reconstruct object factories from remote locations when a custom > [ObjectFactoryBuilder](https://docs.oracle.com/en/java/javase/23/docs/api/java.naming/javax/naming/spi/ObjectFactoryBuilder.html) > is assigned via the > [NamingManager#setObjectFactoryBuilder](https://docs.oracle.com/en/java/javase/23/docs/api/java.naming/javax/naming/spi/NamingManager.html#setObjectFactoryBuilder(javax.naming.spi.ObjectFactoryBuilder)) > API. > - The `NamingManager` class-level documentation is edited to remove > references to the `SecurityManager`. It was also revised to clarify a > reconstruction mechanism of object factories from remote references in the > presence of a custom `ObjectFactoriesBuilder`. > - Also, the modified classes have been cleaned-up from `SecurityManager`, > `doPrivildged`, and `AccessController` usages. > > These changes require a CSR that will be submitted soon. > > ### Testing > - Added a new test to check if NamingManager#setObjectFactoryBuilder can be > used to implement remote code downloading: > `test/jdk/com/sun/jndi/rmi/registry/objects/ObjectFactoryBuilderCodebaseTest.java` > - `jdk-tier1` to `jdk-tier3` and other JNDI LDAP/RMI tests show no issue with > the proposed changes. This pull request has now been integrated. Changeset: cee74f9e Author: Aleksei Efimov <aefi...@openjdk.org> URL: https://git.openjdk.org/jdk/commit/cee74f9e677e74deda72638bcc0a3e9307262938 Stats: 564 lines in 11 files changed: 312 ins; 200 del; 52 mod 8338536: Permanently disable remote code downloading in JNDI Reviewed-by: dfuchs ------------- PR: https://git.openjdk.org/jdk/pull/22154
