1
/*
2
 * Copyright (c) 1999, 2021, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
10
 *
11
 * This code is distributed in the hope that it will be useful, but WITHOUT
12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14
 * version 2 for more details (a copy is included in the LICENSE file that
15
 * accompanied this code).
16
 *
17
 * You should have received a copy of the GNU General Public License version
18
 * 2 along with this work; if not, write to the Free Software Foundation,
19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20
 *
21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22
 * or visit www.oracle.com if you need additional information or have any
23
 * questions.
24
 */
25

26
package com.sun.jndi.ldap;
27

28
import jdk.internal.access.SharedSecrets;
29

30
import java.net.MalformedURLException;
31
import java.net.URL;
32
import java.net.URLClassLoader;
33
import java.security.AccessControlContext;
34
import java.security.AccessController;
35
import java.security.PrivilegedAction;
36

37
public final class VersionHelper {
38

39
    private static final VersionHelper helper = new VersionHelper();
40

41
    /**
42
     * Determines whether classes may be loaded from an arbitrary URL code base.
43
     */
44
    private static final boolean trustURLCodebase;
45

46
    /**
47
     * Determines whether objects may be deserialized from the content of
48
     * 'javaSerializedData' attribute.
49
     */
50
    private static final boolean trustSerialData;
51

52
    static {
53
        // System property to control whether classes may be loaded from an
54
        // arbitrary URL code base
55
        String trust = getPrivilegedProperty(
56
                "com.sun.jndi.ldap.object.trustURLCodebase", "false");
57
        trustURLCodebase = "true".equalsIgnoreCase(trust);
58

59
        // System property to control whether classes is allowed to be loaded from
60
        // 'javaSerializedData' attribute
61
        String trustSerialDataSp = getPrivilegedProperty(
62
                "com.sun.jndi.ldap.object.trustSerialData", "true");
63
        trustSerialData = "true".equalsIgnoreCase(trustSerialDataSp);
64
    }
65

66
    @SuppressWarnings("removal")
67
    private static String getPrivilegedProperty(String propertyName, String defaultVal) {
68
        PrivilegedAction<String> action = () -> System.getProperty(propertyName, defaultVal);
69
        if (System.getSecurityManager() == null) {
70
            return action.run();
71
        } else {
72
            return AccessController.doPrivileged(action);
73
        }
74
    }
75

76
    private VersionHelper() {
77
    }
78

79
    static VersionHelper getVersionHelper() {
80
        return helper;
81
    }
82

83
    /**
84
     * Returns true if deserialization of objects from 'javaSerializedData'
85
     * LDAP attribute is allowed.
86
     *
87
     * @return true if deserialization is allowed; false - otherwise
88
     */
89
    public static boolean isSerialDataAllowed() {
90
        return trustSerialData;
91
    }
92

93
    ClassLoader getURLClassLoader(String[] url) throws MalformedURLException {
94
        ClassLoader parent = getContextClassLoader();
95
        /*
96
         * Classes may only be loaded from an arbitrary URL code base when
97
         * the system property com.sun.jndi.ldap.object.trustURLCodebase
98
         * has been set to "true".
99
         */
100
        if (url != null && trustURLCodebase) {
101
            return URLClassLoader.newInstance(getUrlArray(url), parent);
102
        } else {
103
            return parent;
104
        }
105
    }
106

107
    Class<?> loadClass(String className) throws ClassNotFoundException {
108
        return Class.forName(className, true, getContextClassLoader());
109
    }
110

111
    @SuppressWarnings("removal")
112
    Thread createThread(Runnable r) {
113
        AccessControlContext acc = AccessController.getContext();
114
        // 4290486: doPrivileged is needed to create a thread in
115
        // an environment that restricts "modifyThreadGroup".
116
        PrivilegedAction<Thread> act =
117
                () -> SharedSecrets.getJavaLangAccess().newThreadWithAcc(r, acc);
118
        return AccessController.doPrivileged(act);
119
    }
120

121
    @SuppressWarnings("removal")
122
    private ClassLoader getContextClassLoader() {
123
        PrivilegedAction<ClassLoader> act =
124
                Thread.currentThread()::getContextClassLoader;
125
        return AccessController.doPrivileged(act);
126
    }
127

128
    private static URL[] getUrlArray(String[] url) throws MalformedURLException {
129
        URL[] urlArray = new URL[url.length];
130
        for (int i = 0; i < urlArray.length; i++) {
131
            urlArray[i] = new URL(url[i]);
132
        }
133
        return urlArray;
134
    }
135
}
136

137