# HG changeset patch # User robm # Date 1531238182 -3600 # Node ID bfbb31220c42956c4a475c6be3a42ea729c92261 # Parent 93ead2e8d18666a072cee09ce76ed41d2e8e58db 8199177: Enhance JNDI lookups Reviewed-by: vtewari diff -r 93ead2e8d186 -r bfbb31220c42 src/share/classes/com/sun/naming/internal/VersionHelper12.java --- a/src/share/classes/com/sun/naming/internal/VersionHelper12.java Wed Jul 18 16:37:45 2018 -0700 +++ b/src/share/classes/com/sun/naming/internal/VersionHelper12.java Tue Jul 10 16:56:22 2018 +0100 @@ -75,6 +75,25 @@ } /** + * Determines whether classes may be loaded from an arbitrary URL code base. + */ + private static final String TRUST_URL_CODEBASE_PROPERTY = + "com.sun.jndi.ldap.object.trustURLCodebase"; + private static final String trustURLCodebase = + AccessController.doPrivileged( + new PrivilegedAction() { + public String run() { + try { + return System.getProperty(TRUST_URL_CODEBASE_PROPERTY, + "false"); + } catch (SecurityException e) { + return "false"; + } + } + } + ); + + /** * Package private. * * This internal method is used with Thread Context Class Loader (TCCL), @@ -93,12 +112,15 @@ */ public Class loadClass(String className, String codebase) throws ClassNotFoundException, MalformedURLException { + if ("true".equalsIgnoreCase(trustURLCodebase)) { + ClassLoader parent = getContextClassLoader(); + ClassLoader cl = + URLClassLoader.newInstance(getUrlArray(codebase), parent); - ClassLoader parent = getContextClassLoader(); - ClassLoader cl = - URLClassLoader.newInstance(getUrlArray(codebase), parent); - - return loadClass(className, cl); + return loadClass(className, cl); + } else { + return null; + } } /**