Explicit Serialization API and Security
Chris Hegarty
chris.hegarty at oracle.com
Tue Jan 6 17:21:39 UTC 2015
On 6 Jan 2015, at 15:06, Peter Levart <peter.levart at gmail.com> wrote:
> On 01/06/2015 04:03 PM, Peter Levart wrote:
>> private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
>> ObjectInputStream.GetField fields = in.readFields(); // this already validates the types
>
> Well, not true currently. But type validation could be added at this point.
Right. I think I’ll file a bug to track this as it seems reasonable to add type validation to readFields and defaultReadObject. So we can probably assume/ignore it in this discussion.
I like the idea of a callback into the serialization framework to handling the setting of final fields, after validation. I played a little with your patch and added it to a branch in the sandbox**
So a simple example, without legacy fields, might looks as below ( without the need for writeObject or serialPersistentFields ). The simple validating readObject is starting to look like boilerplate ?
public class SimpleInterval implements Serializable {
private final int lo, hi;
private static void validate(int lo, int hi) {
// invariant
if (lo > hi)
throw new IllegalArgumentException("lo:" + lo + " > hi:" + hi);
}
public SimpleInterval(int lo, int hi) {
validate(lo, hi);
this.lo = lo;
this.hi = hi;
}
public int getLo() { return lo; }
public int getHi() { return hi; }
private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
ObjectInputStream.GetField fields = in.readFields();
// validate 'lo' and 'hi' fields invariant
int lo = fields.get("lo", 0);
int hi = fields.get("hi", 0);
validate(lo, hi);
// set current fields from read data
fields.defaultReadFields(); // this is new API!
}
}
-Chris.
** hg clone http://hg.openjdk.java.net/jdk9/sandbox sandbox
cd sandbox
sh get_source.sh
sh common/bin/hgforest.sh update -r serial-exp-branch
I also added your example, etc, under:
jdk/test/java/io/Serializable/invarientChecker
see http://cr.openjdk.java.net/~chegar/docs/sandbox.html
More information about the core-libs-dev
mailing list