RFR: 8290367: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property [v2]

Daniel Fuchs dfuchs at openjdk.org
Mon Sep 12 09:34:43 UTC 2022


On Fri, 9 Sep 2022 16:55:44 GMT, Aleksei Efimov <aefimov at openjdk.org> wrote:

>> ### Summary of the change
>> 
>> The LDAP Naming Service Provider implementation's default settings are changed to disallow deserialization and reconstruction of Java objects from different LDAP attributes (RFC 2713). Currently, only the deserialization is controlled by the `com.sun.jndi.ldap.object.trustSerialData` system property, and it is allowed by default.
>> The change proposed here switches the default value of the` com.sun.jndi.ldap.object.trustSerialData `system property to `"false"`, and also extends its scope to cover the reconstruction of RMI remote objects from the `javaRemoteLocation` LDAP attribute.
>> 
>> CSR for this change can be viewed [here](https://bugs.openjdk.org/browse/JDK-8290369).
>> 
>> ### List of code changes
>> - Switch the default value of the 'com.sun.jndi.ldap.object.trustSerialData' system property to "false".
>> 
>> - Extend the scope of the property to also cover the reconstruction of RMI remote objects from the deprecated 'javaRemoteLocation' LDAP attribute.
>> 
>> - Document the support for `javaRemoteLocation` and the `javaReferenceAddress` LDAP attributes in `java.naming`'s module-info.
>> 
>> ### Test changes
>> - New `test/jdk/com/sun/jndi/ldap/objects/RemoteLocationAttributeTest.java` test has been added to test that `com.sun.jndi.ldap.object.trustSerialData` system property can be used to control reconstruction of RMI objects from the `javaRemoteLocation` LDAP attribute.
>> 
>> -  `test/jdk/javax/naming/module/RunBasic.java` was modified to pass `com.sun.jndi.ldap.object.trustSerialData=true` to the sub-tests that rely on reconstruction/deserialization from LDAP attributes. 
>> 
>> - During the update for `test/jdk/javax/naming/module/RunBasic.java`, it was spotted that sub-tests apps launched in separate processes were returning the '0' exit value irrelevant to their execution status. All these sub-tests were modified to throw an exception when failure is observed. It helps to ensure that the exit value of launched process is not '0' for failed sub-tests.
>> 
>> ### Testing
>> 
>> `tier1`-`tier3` and JNDI regression/JCK tests not showing any failures related to this change.
>> No failures observed for the modified regression tests.
>
> Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Add run for the SP w/o value, formatting/wording updates

@AlekseiEfimov The CSR is well written, and the update to the module-info.java look good to me. The code changes and tests changes look good. I'm glad to see this change.

-------------

Marked as reviewed by dfuchs (Reviewer).

PR: https://git.openjdk.org/jdk/pull/10228


More information about the core-libs-dev mailing list