Skip to content

Commit

Permalink
8290367: Update default value and extend the scope of com.sun.jndi.ld…
Browse files Browse the repository at this point in the history 
…ap.object.trustSerialData system property

Reviewed-by: yan, mbalao, andrew
Backport-of: 7765942aeee25cbeb5fd932a93b3d8f9d4ca3655
  • Loading branch information
@mrserb @gnu-andrew
mrserb authored and gnu-andrew committed Oct 5, 2024
1 parent 3b077b8 commit da6b265
Show file tree
Hide file tree
Showing 4 changed files with 202 additions and 8 deletions.
6 changes: 5 additions & 1 deletion jdk/src/share/classes/com/sun/jndi/ldap/Obj.java
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -241,6 +241,10 @@ static Object decodeObject(Attributes attrs)
ClassLoader cl = helper.getURLClassLoader(codebases);
return deserializeObject((byte[])attr.get(), cl);
} else if ((attr = attrs.get(JAVA_ATTRIBUTES[REMOTE_LOC])) != null) {
// javaRemoteLocation attribute (RMI stub will be created)
if (!VersionHelper12.isSerialDataAllowed()) {
throw new NamingException("Object deserialization is not allowed");
}
// For backward compatibility only
return decodeRmiObject(
(String)attrs.get(JAVA_ATTRIBUTES[CLASSNAME]).get(),
Expand Down
15 changes: 8 additions & 7 deletions jdk/src/share/classes/com/sun/jndi/ldap/VersionHelper12.java
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -40,13 +40,13 @@ final class VersionHelper12 extends VersionHelper {
"com.sun.jndi.ldap.object.trustURLCodebase";

// System property to control whether classes are allowed to be loaded from
// 'javaSerializedData' attribute
// 'javaSerializedData', 'javaRemoteLocation' or 'javaReferenceAddress' attributes.
private static final String TRUST_SERIAL_DATA_PROPERTY =
"com.sun.jndi.ldap.object.trustSerialData";

/**
* Determines whether objects may be deserialized from the content of
* 'javaSerializedData' attribute.
* Determines whether objects may be deserialized or reconstructed from a content of
* 'javaSerializedData', 'javaRemoteLocation' or 'javaReferenceAddress' LDAP attributes.
*/
private static final boolean trustSerialData;

Expand All @@ -56,7 +56,7 @@ final class VersionHelper12 extends VersionHelper {
static {
String trust = getPrivilegedProperty(TRUST_URL_CODEBASE_PROPERTY, "false");
trustURLCodebase = "true".equalsIgnoreCase(trust);
String trustSDString = getPrivilegedProperty(TRUST_SERIAL_DATA_PROPERTY, "true");
String trustSDString = getPrivilegedProperty(TRUST_SERIAL_DATA_PROPERTY, "false");
trustSerialData = "true".equalsIgnoreCase(trustSDString);
}

Expand All @@ -72,8 +72,9 @@ private static String getPrivilegedProperty(String propertyName, String defaultV
VersionHelper12() {} // Disallow external from creating one of these.

/**
* Returns true if deserialization of objects from 'javaSerializedData'
* and 'javaReferenceAddress' LDAP attributes is allowed.
* Returns true if deserialization or reconstruction of objects from
* 'javaSerializedData', 'javaRemoteLocation' and 'javaReferenceAddress'
* LDAP attributes is allowed.
*
* @return true if deserialization is allowed; false - otherwise
*/
Expand Down
128 changes: 128 additions & 0 deletions jdk/test/com/sun/jndi/ldap/objects/RemoteLocationAttributeTest.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.ServerSocket;
import java.net.SocketAddress;
import java.util.Hashtable;
import javax.naming.CommunicationException;
import javax.naming.NamingException;
import javax.naming.ServiceUnavailableException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;

import jdk.testlibrary.net.URIBuilder;

/**
* @test
* @bug 8290367
* @summary Check if com.sun.jndi.ldap.object.trustSerialData covers the creation
* of RMI remote objects from the 'javaRemoteLocation' LDAP attribute.
* @modules java.naming/com.sun.jndi.ldap
* @library /lib/testlibrary ../lib
* @build LDAPServer LDAPTestUtils
*
* @run main/othervm RemoteLocationAttributeTest
* @run main/othervm -Dcom.sun.jndi.ldap.object.trustSerialData
* RemoteLocationAttributeTest
* @run main/othervm -Dcom.sun.jndi.ldap.object.trustSerialData=false
* RemoteLocationAttributeTest
* @run main/othervm -Dcom.sun.jndi.ldap.object.trustSerialData=true
* RemoteLocationAttributeTest
* @run main/othervm -Dcom.sun.jndi.ldap.object.trustSerialData=TrUe
* RemoteLocationAttributeTest
*/

public class RemoteLocationAttributeTest {

public static void main(String[] args) throws Exception {
// Create unbound server socket
ServerSocket serverSocket = new ServerSocket();

// Bind it to the loopback address
SocketAddress sockAddr = new InetSocketAddress(
InetAddress.getLoopbackAddress(), 0);
serverSocket.bind(sockAddr);

// Construct the provider URL for LDAPTestUtils
String providerURL = URIBuilder.newBuilder()
.scheme("ldap")
.loopback()
.port(serverSocket.getLocalPort())
.buildUnchecked().toString();

Hashtable<Object, Object> env;

// Initialize test environment variables
env = LDAPTestUtils.initEnv(serverSocket, providerURL,
RemoteLocationAttributeTest.class.getName(), args, false);

DirContext ctx = null;
try {
try {
System.err.println(env);
// connect to server
ctx = new InitialDirContext(env);
Object lookupResult = ctx.lookup("Test");
System.err.println("Lookup result:" + lookupResult);
// Test doesn't provide RMI registry running at 127.0.0.1:1097, but if
// there is one running on test host successful result is valid for
// cases when reconstruction allowed.
if (!RECONSTRUCTION_ALLOWED) {
throw new AssertionError("Unexpected successful lookup");
}
} finally {
serverSocket.close();
}
} catch (ServiceUnavailableException | CommunicationException connectionException) {
// The remote location was properly reconstructed but connection to
// RMI endpoint failed:
// ServiceUnavailableException - no open socket on 127.0.0.1:1097
// CommunicationException - 127.0.0.1:1097 is open, but it is not RMI registry
System.err.println("Got one of connection exceptions:" + connectionException);
if (!RECONSTRUCTION_ALLOWED) {
throw new AssertionError("Reconstruction not blocked, as expected");
}
} catch (NamingException ne) {
String message = ne.getMessage();
System.err.printf("Got NamingException with message: '%s'%n", message);
if (RECONSTRUCTION_ALLOWED && EXPECTED_NAMING_EXCEPTION_MESSAGE.equals(message)) {
throw new AssertionError("Reconstruction unexpectedly blocked");
}
if (!RECONSTRUCTION_ALLOWED && !EXPECTED_NAMING_EXCEPTION_MESSAGE.equals(message)) {
throw new AssertionError("Reconstruction not blocked");
}
} finally {
LDAPTestUtils.cleanup(ctx);
}
}

// Reconstruction of RMI remote objects is allowed if 'com.sun.jndi.ldap.object.trustSerialData'
// is set to "true". If the system property is not specified it implies default "false" value
private static final boolean RECONSTRUCTION_ALLOWED =
Boolean.getBoolean("com.sun.jndi.ldap.object.trustSerialData");

// NamingException message when reconstruction is not allowed
private static final String EXPECTED_NAMING_EXCEPTION_MESSAGE = "Object deserialization is not allowed";
}
61 changes: 61 additions & 0 deletions jdk/test/com/sun/jndi/ldap/objects/RemoteLocationAttributeTest.ldap
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
#
# Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#

################################################################################
# Capture file for RemoteLocationAttributeTest.java
#
# NOTE: This hexadecimal dump of LDAP protocol messages was generated by
# running the RemoteLocationAttributeTest application program against
# a real LDAP server and setting the JNDI/LDAP environment property:
# com.sun.jndi.ldap.trace.ber to activate LDAP message tracing.
#
################################################################################

# LDAP BindRequest
0000: 30 0C 02 01 01 60 07 02 01 03 04 00 80 00 0....`........

# LDAP BindResponse
0000: 30 0C 02 01 01 61 07 0A 01 00 04 00 04 00 0....a........

# LDAP SearchRequest
0000: 30 46 02 01 02 63 24 04 04 54 65 73 74 0A 01 00 0F...c$..Test...
0010: 0A 01 03 02 01 00 02 01 00 01 01 00 87 0B 6F 62 ..............ob
0020: 6A 65 63 74 43 6C 61 73 73 30 00 A0 1B 30 19 04 jectClass0...0..
0030: 17 32 2E 31 36 2E 38 34 30 2E 31 2E 31 31 33 37 .2.16.840.1.1137
0040: 33 30 2E 33 2E 34 2E 32 30.3.4.2

# LDAP SearchResultEntry
0000: 30 5E 02 01 02 64 59 04 04 54 65 73 74 30 51 30 0^...dY..Test0Q0
0010: 16 04 0D 6A 61 76 61 43 6C 61 73 73 4E 61 6D 65 ...javaClassName
0020: 31 05 04 03 66 6F 6F 30 37 04 12 6A 61 76 61 52 1...foo07..javaR
0030: 65 6D 6F 74 65 4C 6F 63 61 74 69 6F 6E 31 21 04 emoteLocation1!.
0040: 1F 72 6D 69 3A 2F 2F 31 32 37 2E 30 2E 30 2E 31 .rmi://127.0.0.1
0050: 3A 31 30 39 37 2F 54 65 73 74 52 65 6D 6F 74 65 :1097/TestRemote

# LDAP SearchResultDone
0000: 30 0C 02 01 02 65 07 0A 01 00 04 00 04 00 0....e........

# LDAP UnbindRequest
0000: 30 22 02 01 03 42 00 A0 1B 30 19 04 17 32 2E 31 0"...B...0...2.1
0010: 36 2E 38 34 30 2E 31 2E 31 31 33 37 33 30 2E 33 6.840.1.113730.3
0020: 2E 34 2E 32 .4.2

0 comments on commit da6b265

Please sign in to comment.