8290367: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property

mrserb · gnu-andrew · commit da6b2652f5af · 2024-10-05T01:53:51.000+01:00
Reviewed-by: yan, mbalao, andrew
Backport-of: 7765942aeee25cbeb5fd932a93b3d8f9d4ca3655
diff --git a/jdk/src/share/classes/com/sun/jndi/ldap/Obj.java b/jdk/src/share/classes/com/sun/jndi/ldap/Obj.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -241,6 +241,10 @@ static Object decodeObject(Attributes attrs)
                 ClassLoader cl = helper.getURLClassLoader(codebases);
                 return deserializeObject((byte[])attr.get(), cl);
             } else if ((attr = attrs.get(JAVA_ATTRIBUTES[REMOTE_LOC])) != null) {
+                 // javaRemoteLocation attribute (RMI stub will be created)
+                 if (!VersionHelper12.isSerialDataAllowed()) {
+                     throw new NamingException("Object deserialization is not allowed");
+                 }
                 // For backward compatibility only
                 return decodeRmiObject(
                     (String)attrs.get(JAVA_ATTRIBUTES[CLASSNAME]).get(),
diff --git a/jdk/src/share/classes/com/sun/jndi/ldap/VersionHelper12.java b/jdk/src/share/classes/com/sun/jndi/ldap/VersionHelper12.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,13 +40,13 @@ final class VersionHelper12 extends VersionHelper {
         "com.sun.jndi.ldap.object.trustURLCodebase";
 
     // System property to control whether classes are allowed to be loaded from
-    // 'javaSerializedData' attribute
+    // 'javaSerializedData', 'javaRemoteLocation' or 'javaReferenceAddress' attributes.
     private static final String TRUST_SERIAL_DATA_PROPERTY =
         "com.sun.jndi.ldap.object.trustSerialData";
 
     /**
-     * Determines whether objects may be deserialized from the content of
-     * 'javaSerializedData' attribute.
+     * Determines whether objects may be deserialized or reconstructed from a content of
+     * 'javaSerializedData', 'javaRemoteLocation' or 'javaReferenceAddress' LDAP attributes.
      */
     private static final boolean trustSerialData;
 
@@ -56,7 +56,7 @@ final class VersionHelper12 extends VersionHelper {
     static {
         String trust = getPrivilegedProperty(TRUST_URL_CODEBASE_PROPERTY, "false");
         trustURLCodebase = "true".equalsIgnoreCase(trust);
-        String trustSDString = getPrivilegedProperty(TRUST_SERIAL_DATA_PROPERTY, "true");
+        String trustSDString = getPrivilegedProperty(TRUST_SERIAL_DATA_PROPERTY, "false");
         trustSerialData = "true".equalsIgnoreCase(trustSDString);
     }
 
@@ -72,8 +72,9 @@ private static String getPrivilegedProperty(String propertyName, String defaultV
     VersionHelper12() {} // Disallow external from creating one of these.
 
     /**
-     * Returns true if deserialization of objects from 'javaSerializedData'
-     * and 'javaReferenceAddress' LDAP attributes is allowed.
+     * Returns true if deserialization or reconstruction of objects from
+     * 'javaSerializedData', 'javaRemoteLocation' and 'javaReferenceAddress'
+     * LDAP attributes is allowed.
      *
      * @return true if deserialization is allowed; false - otherwise
      */
diff --git a/jdk/test/com/sun/jndi/ldap/objects/RemoteLocationAttributeTest.java b/jdk/test/com/sun/jndi/ldap/objects/RemoteLocationAttributeTest.java
@@ -0,0 +1,128 @@
+/*
+ * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+import java.net.ServerSocket;
+import java.net.SocketAddress;
+import java.util.Hashtable;
+import javax.naming.CommunicationException;
+import javax.naming.NamingException;
+import javax.naming.ServiceUnavailableException;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
+
+import jdk.testlibrary.net.URIBuilder;
+
+/**
+ * @test
+ * @bug 8290367
+ * @summary Check if com.sun.jndi.ldap.object.trustSerialData covers the creation
+ *          of RMI remote objects from the 'javaRemoteLocation' LDAP attribute.
+ * @modules java.naming/com.sun.jndi.ldap
+ * @library /lib/testlibrary ../lib
+ * @build LDAPServer LDAPTestUtils
+ *
+ * @run main/othervm RemoteLocationAttributeTest
+ * @run main/othervm -Dcom.sun.jndi.ldap.object.trustSerialData
+ *                   RemoteLocationAttributeTest
+ * @run main/othervm -Dcom.sun.jndi.ldap.object.trustSerialData=false
+ *                   RemoteLocationAttributeTest
+ * @run main/othervm -Dcom.sun.jndi.ldap.object.trustSerialData=true
+ *                   RemoteLocationAttributeTest
+ * @run main/othervm -Dcom.sun.jndi.ldap.object.trustSerialData=TrUe
+ *                   RemoteLocationAttributeTest
+ */
+
+public class RemoteLocationAttributeTest {
+
+    public static void main(String[] args) throws Exception {
+        // Create unbound server socket
+        ServerSocket serverSocket = new ServerSocket();
+
+        // Bind it to the loopback address
+        SocketAddress sockAddr = new InetSocketAddress(
+                InetAddress.getLoopbackAddress(), 0);
+        serverSocket.bind(sockAddr);
+
+        // Construct the provider URL for LDAPTestUtils
+        String providerURL = URIBuilder.newBuilder()
+                .scheme("ldap")
+                .loopback()
+                .port(serverSocket.getLocalPort())
+                .buildUnchecked().toString();
+
+        Hashtable<Object, Object> env;
+
+        // Initialize test environment variables
+        env = LDAPTestUtils.initEnv(serverSocket, providerURL,
+                RemoteLocationAttributeTest.class.getName(), args, false);
+
+        DirContext ctx = null;
+        try {
+            try {
+                System.err.println(env);
+                // connect to server
+                ctx = new InitialDirContext(env);
+                Object lookupResult = ctx.lookup("Test");
+                System.err.println("Lookup result:" + lookupResult);
+                // Test doesn't provide RMI registry running at 127.0.0.1:1097, but if
+                // there is one running on test host successful result is valid for
+                // cases when reconstruction allowed.
+                if (!RECONSTRUCTION_ALLOWED) {
+                    throw new AssertionError("Unexpected successful lookup");
+                }
+            } finally {
+                serverSocket.close();
+            }
+        } catch (ServiceUnavailableException | CommunicationException connectionException) {
+            // The remote location was properly reconstructed but connection to
+            // RMI endpoint failed:
+            //    ServiceUnavailableException - no open socket on 127.0.0.1:1097
+            //    CommunicationException - 127.0.0.1:1097 is open, but it is not RMI registry
+            System.err.println("Got one of connection exceptions:" + connectionException);
+            if (!RECONSTRUCTION_ALLOWED) {
+                throw new AssertionError("Reconstruction not blocked, as expected");
+            }
+        } catch (NamingException ne) {
+            String message = ne.getMessage();
+            System.err.printf("Got NamingException with message: '%s'%n", message);
+            if (RECONSTRUCTION_ALLOWED && EXPECTED_NAMING_EXCEPTION_MESSAGE.equals(message)) {
+                throw new AssertionError("Reconstruction unexpectedly blocked");
+            }
+            if (!RECONSTRUCTION_ALLOWED && !EXPECTED_NAMING_EXCEPTION_MESSAGE.equals(message)) {
+                throw new AssertionError("Reconstruction not blocked");
+            }
+        } finally {
+            LDAPTestUtils.cleanup(ctx);
+        }
+    }
+
+    // Reconstruction of RMI remote objects is allowed if 'com.sun.jndi.ldap.object.trustSerialData'
+    // is set to "true". If the system property is not specified it implies default "false" value
+    private static final boolean RECONSTRUCTION_ALLOWED =
+            Boolean.getBoolean("com.sun.jndi.ldap.object.trustSerialData");
+
+    // NamingException message when reconstruction is not allowed
+    private static final String EXPECTED_NAMING_EXCEPTION_MESSAGE = "Object deserialization is not allowed";
+}
diff --git a/jdk/test/com/sun/jndi/ldap/objects/RemoteLocationAttributeTest.ldap b/jdk/test/com/sun/jndi/ldap/objects/RemoteLocationAttributeTest.ldap
@@ -0,0 +1,61 @@
+#
+# Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+################################################################################
+# Capture file for RemoteLocationAttributeTest.java
+#
+# NOTE: This hexadecimal dump of LDAP protocol messages was generated by
+#       running the RemoteLocationAttributeTest application program against
+#       a real LDAP server and setting the JNDI/LDAP environment property:
+#       com.sun.jndi.ldap.trace.ber to activate LDAP message tracing.
+#
+################################################################################
+
+# LDAP BindRequest
+0000: 30 0C 02 01 01 60 07 02   01 03 04 00 80 00        0....`........
+
+# LDAP BindResponse
+0000: 30 0C 02 01 01 61 07 0A   01 00 04 00 04 00        0....a........
+
+# LDAP SearchRequest
+0000: 30 46 02 01 02 63 24 04   04 54 65 73 74 0A 01 00  0F...c$..Test...
+0010: 0A 01 03 02 01 00 02 01   00 01 01 00 87 0B 6F 62  ..............ob
+0020: 6A 65 63 74 43 6C 61 73   73 30 00 A0 1B 30 19 04  jectClass0...0..
+0030: 17 32 2E 31 36 2E 38 34   30 2E 31 2E 31 31 33 37  .2.16.840.1.1137
+0040: 33 30 2E 33 2E 34 2E 32                            30.3.4.2
+
+# LDAP SearchResultEntry
+0000: 30 5E 02 01 02 64 59 04   04 54 65 73 74 30 51 30  0^...dY..Test0Q0
+0010: 16 04 0D 6A 61 76 61 43   6C 61 73 73 4E 61 6D 65  ...javaClassName
+0020: 31 05 04 03 66 6F 6F 30   37 04 12 6A 61 76 61 52  1...foo07..javaR
+0030: 65 6D 6F 74 65 4C 6F 63   61 74 69 6F 6E 31 21 04  emoteLocation1!.
+0040: 1F 72 6D 69 3A 2F 2F 31   32 37 2E 30 2E 30 2E 31  .rmi://127.0.0.1
+0050: 3A 31 30 39 37 2F 54 65   73 74 52 65 6D 6F 74 65  :1097/TestRemote
+
+# LDAP SearchResultDone
+0000: 30 0C 02 01 02 65 07 0A   01 00 04 00 04 00        0....e........
+
+# LDAP UnbindRequest
+0000: 30 22 02 01 03 42 00 A0   1B 30 19 04 17 32 2E 31  0"...B...0...2.1
+0010: 36 2E 38 34 30 2E 31 2E   31 31 33 37 33 30 2E 33  6.840.1.113730.3
+0020: 2E 34 2E 32                                        .4.2
