1
/*
2
 * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
10
 *
11
 * This code is distributed in the hope that it will be useful, but WITHOUT
12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14
 * version 2 for more details (a copy is included in the LICENSE file that
15
 * accompanied this code).
16
 *
17
 * You should have received a copy of the GNU General Public License version
18
 * 2 along with this work; if not, write to the Free Software Foundation,
19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20
 *
21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22
 * or visit www.oracle.com if you need additional information or have any
23
 * questions.
24
 */
25

26
package com.sun.jndi.ldap;
27

28
import java.net.URLClassLoader;
29
import java.net.MalformedURLException;
30
import java.security.AccessControlContext;
31
import java.security.AccessController;
32
import java.security.PrivilegedAction;
33
import sun.misc.SharedSecrets;
34

35
final class VersionHelper12 extends VersionHelper {
36

37
    // System property to control whether classes may be loaded from an
38
    // arbitrary URL code base.
39
    private static final String TRUST_URL_CODEBASE_PROPERTY =
40
        "com.sun.jndi.ldap.object.trustURLCodebase";
41

42
    // System property to control whether classes are allowed to be loaded from
43
    // 'javaSerializedData' attribute
44
    private static final String TRUST_SERIAL_DATA_PROPERTY =
45
        "com.sun.jndi.ldap.object.trustSerialData";
46

47
    /**
48
     * Determines whether objects may be deserialized from the content of
49
     * 'javaSerializedData' attribute.
50
     */
51
    private static final boolean trustSerialData;
52

53
    // Determine whether classes may be loaded from an arbitrary URL code base.
54
    private static final boolean trustURLCodebase;
55

56
    static {
57
        String trust = getPrivilegedProperty(TRUST_URL_CODEBASE_PROPERTY, "false");
58
        trustURLCodebase = "true".equalsIgnoreCase(trust);
59
        String trustSDString = getPrivilegedProperty(TRUST_SERIAL_DATA_PROPERTY, "true");
60
        trustSerialData = "true".equalsIgnoreCase(trustSDString);
61
    }
62

63
    private static String getPrivilegedProperty(String propertyName, String defaultVal) {
64
        PrivilegedAction<String> action = () -> System.getProperty(propertyName, defaultVal);
65
        if (System.getSecurityManager() == null) {
66
            return action.run();
67
        } else {
68
            return AccessController.doPrivileged(action);
69
        }
70
    }
71

72
    VersionHelper12() {} // Disallow external from creating one of these.
73

74
    /**
75
     * Returns true if deserialization of objects from 'javaSerializedData'
76
     * LDAP attribute is allowed.
77
     *
78
     * @return true if deserialization is allowed; false - otherwise
79
     */
80
    public static boolean isSerialDataAllowed() {
81
        return trustSerialData;
82
    }
83

84
    ClassLoader getURLClassLoader(String[] url)
85
        throws MalformedURLException {
86
            ClassLoader parent = getContextClassLoader();
87
            /*
88
             * Classes may only be loaded from an arbitrary URL code base when
89
             * the system property com.sun.jndi.ldap.object.trustURLCodebase
90
             * has been set to "true".
91
             */
92
            if (url != null && trustURLCodebase) {
93
                return URLClassLoader.newInstance(getUrlArray(url), parent);
94
            } else {
95
                return parent;
96
            }
97
    }
98

99
    Class<?> loadClass(String className) throws ClassNotFoundException {
100
        ClassLoader cl = getContextClassLoader();
101
        return Class.forName(className, true, cl);
102
    }
103

104
    private ClassLoader getContextClassLoader() {
105
        return AccessController.doPrivileged(
106
            new PrivilegedAction<ClassLoader>() {
107
                public ClassLoader run() {
108
                    return Thread.currentThread().getContextClassLoader();
109
                }
110
            }
111
        );
112
    }
113

114
    Thread createThread(final Runnable r) {
115
        final AccessControlContext acc = AccessController.getContext();
116
        // 4290486: doPrivileged is needed to create a thread in
117
        // an environment that restricts "modifyThreadGroup".
118
        return AccessController.doPrivileged(
119
                new PrivilegedAction<Thread>() {
120
                    public Thread run() {
121
                        return SharedSecrets.getJavaLangAccess()
122
                                .newThreadWithAcc(r, acc);
123
                    }
124
                }
125
        );
126
    }
127
}
128

129