On Fri, 9 Sep 2022 16:55:44 GMT, Aleksei Efimov <aefi...@openjdk.org> wrote:
>> ### Summary of the change >> >> The LDAP Naming Service Provider implementation's default settings are >> changed to disallow deserialization and reconstruction of Java objects from >> different LDAP attributes (RFC 2713). Currently, only the deserialization is >> controlled by the `com.sun.jndi.ldap.object.trustSerialData` system >> property, and it is allowed by default. >> The change proposed here switches the default value of the` >> com.sun.jndi.ldap.object.trustSerialData `system property to `"false"`, and >> also extends its scope to cover the reconstruction of RMI remote objects >> from the `javaRemoteLocation` LDAP attribute. >> >> CSR for this change can be viewed >> [here](https://bugs.openjdk.org/browse/JDK-8290369). >> >> ### List of code changes >> - Switch the default value of the 'com.sun.jndi.ldap.object.trustSerialData' >> system property to "false". >> >> - Extend the scope of the property to also cover the reconstruction of RMI >> remote objects from the deprecated 'javaRemoteLocation' LDAP attribute. >> >> - Document the support for `javaRemoteLocation` and the >> `javaReferenceAddress` LDAP attributes in `java.naming`'s module-info. >> >> ### Test changes >> - New `test/jdk/com/sun/jndi/ldap/objects/RemoteLocationAttributeTest.java` >> test has been added to test that `com.sun.jndi.ldap.object.trustSerialData` >> system property can be used to control reconstruction of RMI objects from >> the `javaRemoteLocation` LDAP attribute. >> >> - `test/jdk/javax/naming/module/RunBasic.java` was modified to pass >> `com.sun.jndi.ldap.object.trustSerialData=true` to the sub-tests that rely >> on reconstruction/deserialization from LDAP attributes. >> >> - During the update for `test/jdk/javax/naming/module/RunBasic.java`, it was >> spotted that sub-tests apps launched in separate processes were returning >> the '0' exit value irrelevant to their execution status. All these sub-tests >> were modified to throw an exception when failure is observed. It helps to >> ensure that the exit value of launched process is not '0' for failed >> sub-tests. >> >> ### Testing >> >> `tier1`-`tier3` and JNDI regression/JCK tests not showing any failures >> related to this change. >> No failures observed for the modified regression tests. > > Aleksei Efimov has updated the pull request incrementally with one additional > commit since the last revision: > > Add run for the SP w/o value, formatting/wording updates test/jdk/com/sun/jndi/ldap/objects/RemoteLocationAttributeTest.java line 64: > 62: SocketAddress sockAddr = new InetSocketAddress( > 63: InetAddress.getLoopbackAddress(), 0); > 64: serverSocket.bind(sockAddr); Perhaps we should `close()` this `serverSocket` in a finally block to cleanly shutdown? ------------- PR: https://git.openjdk.org/jdk/pull/10228
