OpenJDK / bsd-port / bsd-port / jdk
changeset 1188:255dcd4f19b6
6737315: LDAP serialized data vulnerability
Reviewed-by: alanb
| author | vinnie |
|---|---|
| date | Tue, 10 Mar 2009 18:43:00 +0000 |
| parents | 6ed878e5a5d4 |
| children | e51956c74e5c |
| files | src/share/classes/com/sun/jndi/ldap/VersionHelper12.java |
| diffstat | 1 files changed, 23 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/com/sun/jndi/ldap/VersionHelper12.java Tue Mar 10 14:29:47 2009 +0100 +++ b/src/share/classes/com/sun/jndi/ldap/VersionHelper12.java Tue Mar 10 18:43:00 2009 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1999 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 1999-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,12 +33,33 @@ final class VersionHelper12 extends VersionHelper { + // System property to control whether classes may be loaded from an + // arbitrary URL code base. + private static final String TRUST_URL_CODEBASE_PROPERTY = + "com.sun.jndi.ldap.object.trustURLCodebase"; + + // Determine whether classes may be loaded from an arbitrary URL code base. + private static final String trustURLCodebase = + AccessController.doPrivileged( + new PrivilegedAction<String>() { + public String run() { + return System.getProperty(TRUST_URL_CODEBASE_PROPERTY, + "false"); + } + } + ); + VersionHelper12() {} // Disallow external from creating one of these. ClassLoader getURLClassLoader(String[] url) throws MalformedURLException { ClassLoader parent = getContextClassLoader(); - if (url != null) { + /* + * Classes may only be loaded from an arbitrary URL code base when + * the system property com.sun.jndi.ldap.object.trustURLCodebase + * has been set to "true". + */ + if (url != null && "true".equalsIgnoreCase(trustURLCodebase)) { return URLClassLoader.newInstance(getUrlArray(url), parent); } else { return parent;