Mercurial > hg > release > icedtea-1.9

view patches/security/icedtea-6737315.patch @ 1768:3a122c249dda

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Port latest security fixes from IcedTea6. 2009-04-06 Andrew John Hughes <ahughes@redhat.com> * Makefile.am: Add new patches. * patches/security/icedtea-6536193.patch, * patches/security/icedtea-6610888.patch, * patches/security/icedtea-6610896.patch, * patches/security/icedtea-6630639.patch, * patches/security/icedtea-6632886.patch, * patches/security/icedtea-6636360.patch, * patches/security/icedtea-6652463.patch, * patches/security/icedtea-6656633.patch, * patches/security/icedtea-6658158.patch, * patches/security/icedtea-6691246.patch, * patches/security/icedtea-6717680.patch, * patches/security/icedtea-6721651.patch, * patches/security/icedtea-6737315.patch, * patches/security/icedtea-6792554.patch, * patches/security/icedtea-6804996.patch, * patches/security/icedtea-6804997.patch, * patches/security/icedtea-6804998.patch: Security patches ported from IcedTea6.
author Andrew John Hughes <ahughes@redhat.com>
date Tue, 07 Apr 2009 01:02:17 +0100
parents
children
line wrap: on
line source

--- old/./src/share/classes/com/sun/jndi/ldap/VersionHelper12.java	Tue Mar 10 17:35:37 2009
+++ openjdk/jdk/src/share/classes/com/sun/jndi/ldap/VersionHelper12.java	Tue Mar 10 17:35:36 2009
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1999-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -33,12 +33,33 @@
 
 final class VersionHelper12 extends VersionHelper {
 
+    // System property to control whether classes may be loaded from an
+    // arbitrary URL code base.
+    private static final String TRUST_URL_CODEBASE_PROPERTY =
+        "com.sun.jndi.ldap.object.trustURLCodebase";
+
+    // Determine whether classes may be loaded from an arbitrary URL code base.
+    private static final String trustURLCodebase =
+        AccessController.doPrivileged(
+            new PrivilegedAction<String>() {
+                public String run() {
+                    return System.getProperty(TRUST_URL_CODEBASE_PROPERTY,
+                            "false");
+                }
+            }
+        );
+
     VersionHelper12() {} // Disallow external from creating one of these.
 
     ClassLoader getURLClassLoader(String[] url)
         throws MalformedURLException {
             ClassLoader parent = getContextClassLoader();
-            if (url != null) {
+            /*
+             * Classes may only be loaded from an arbitrary URL code base when
+             * the system property com.sun.jndi.ldap.object.trustURLCodebase
+             * has been set to "true".
+             */
+            if (url != null && "true".equalsIgnoreCase(trustURLCodebase)) {
                 return URLClassLoader.newInstance(getUrlArray(url), parent);
             } else {
                 return parent;