8267712: Better LDAP reference processing

Reviewed-by: dfuchs, ahgross, rhalade
2021-06-08 10:18:09 +00:00 · 2021-06-08 10:18:09 +00:00 · bddcc8ea9d
commit bddcc8ea9d
parent 470e8a0fda
2 changed files with 7 additions and 1 deletions
--- a/src/java.naming/share/classes/com/sun/jndi/ldap/Obj.java
+++ b/src/java.naming/share/classes/com/sun/jndi/ldap/Obj.java
@ -465,6 +465,12 @@ final class Obj {
                    // Empty content
                    refAddrList[posn] = new StringRefAddr(type, null);
                } else if (val.charAt(start) == separator) {
+                    // Check if deserialization of binary RefAddr is allowed from
+                    // 'javaReferenceAddress' LDAP attribute.
+                    if (!VersionHelper.isSerialDataAllowed()) {
+                        throw new NamingException("Object deserialization is not allowed");
+                    }
+
                    // Double separators indicate a non-StringRefAddr
                    // Content is a Base64-encoded serialized RefAddr

--- a/src/java.naming/share/classes/com/sun/jndi/ldap/VersionHelper.java
+++ b/src/java.naming/share/classes/com/sun/jndi/ldap/VersionHelper.java
@ -82,7 +82,7 @@ public final class VersionHelper {

    /**
     * Returns true if deserialization of objects from 'javaSerializedData'
-     * LDAP attribute is allowed.
+     * and 'javaReferenceAddress' LDAP attributes is allowed.
     *
     * @return true if deserialization is allowed; false - otherwise
     */