RFR: 8290367: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property [v3]
Aleksei Efimov
aefimov at openjdk.org
Mon Sep 12 14:29:56 UTC 2022
> ### Summary of the change
>
> The LDAP Naming Service Provider implementation's default settings are changed to disallow deserialization and reconstruction of Java objects from different LDAP attributes (RFC 2713). Currently, only the deserialization is controlled by the `com.sun.jndi.ldap.object.trustSerialData` system property, and it is allowed by default.
> The change proposed here switches the default value of the` com.sun.jndi.ldap.object.trustSerialData `system property to `"false"`, and also extends its scope to cover the reconstruction of RMI remote objects from the `javaRemoteLocation` LDAP attribute.
>
> CSR for this change can be viewed [here](https://bugs.openjdk.org/browse/JDK-8290369).
>
> ### List of code changes
> - Switch the default value of the 'com.sun.jndi.ldap.object.trustSerialData' system property to "false".
>
> - Extend the scope of the property to also cover the reconstruction of RMI remote objects from the deprecated 'javaRemoteLocation' LDAP attribute.
>
> - Document the support for `javaRemoteLocation` and the `javaReferenceAddress` LDAP attributes in `java.naming`'s module-info.
>
> ### Test changes
> - New `test/jdk/com/sun/jndi/ldap/objects/RemoteLocationAttributeTest.java` test has been added to test that `com.sun.jndi.ldap.object.trustSerialData` system property can be used to control reconstruction of RMI objects from the `javaRemoteLocation` LDAP attribute.
>
> - `test/jdk/javax/naming/module/RunBasic.java` was modified to pass `com.sun.jndi.ldap.object.trustSerialData=true` to the sub-tests that rely on reconstruction/deserialization from LDAP attributes.
>
> - During the update for `test/jdk/javax/naming/module/RunBasic.java`, it was spotted that sub-tests apps launched in separate processes were returning the '0' exit value irrelevant to their execution status. All these sub-tests were modified to throw an exception when failure is observed. It helps to ensure that the exit value of launched process is not '0' for failed sub-tests.
>
> ### Testing
>
> `tier1`-`tier3` and JNDI regression/JCK tests not showing any failures related to this change.
> No failures observed for the modified regression tests.
Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision:
Update src comments/update module-info (case insensitive)/close test socket
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/10228/files
- new: https://git.openjdk.org/jdk/pull/10228/files/faec04e6..7f16da07
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=10228&range=02
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=10228&range=01-02
Stats: 12 lines in 3 files changed: 3 ins; 0 del; 9 mod
Patch: https://git.openjdk.org/jdk/pull/10228.diff
Fetch: git fetch https://git.openjdk.org/jdk pull/10228/head:pull/10228
PR: https://git.openjdk.org/jdk/pull/10228
More information about the core-libs-dev
mailing list