RFR 9: JEP 290: Filter Incoming Serialization Data
Daniel Fuchs
daniel.fuchs at oracle.com
Wed Jul 20 14:22:22 UTC 2016
Hi Roger,
3901 /**
3902 * Method for getting the array size for any array.
3903 */
3904 private static int arrayLength(Object array) {
why not using java.lang.reflect.Array::getLength?
best regards,
-- daniel
On 19/07/16 15:02, Roger Riggs wrote:
> Please review the design, implementation, and tests of JEP 290: Filter
> Incoming Serialization Data[1]
>
> It allows incoming streams of object-serialization data to be filtered
> in order to improve both security and robustness.
> The JEP[1] has more detail on the background and scope.
>
> The core mechanism is a filter interface implemented by serialization
> clients and set on an |ObjectInputStream|. The filter is called during
> the deserialization process to validate the classes being deserialized,
> the sizes of arrays being created, and metrics describing stream length,
> stream depth, and number of references as the stream is being decoded.
>
> A process-wide filter can be configured that is applied to every
> ObjectInputStream.
> The API of ObjectInputStream can be used to set a custom filter to
> supersede or augment the process-wide filter.
>
> Webrev:
> http://cr.openjdk.java.net/~rriggs/webrev-serial-filter-jdk9-8155760/
>
> SpecDiff:
> http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html
>
> Javadoc (subset)
> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html
>
> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html
>
>
> Comments appreciated, Roger
>
> [1] JEP 290: https://bugs.openjdk.java.net/browse/JDK-8154961
>
More information about the core-libs-dev
mailing list