RFR 9: JEP 290: Filter Incoming Serialization Data
Roger Riggs
Roger.Riggs at Oracle.com
Wed Jul 20 14:49:46 UTC 2016
Will do, thanks, Roger
On 7/20/2016 10:22 AM, Daniel Fuchs wrote:
> Hi Roger,
>
> 3901 /**
> 3902 * Method for getting the array size for any array.
> 3903 */
> 3904 private static int arrayLength(Object array) {
>
> why not using java.lang.reflect.Array::getLength?
>
> best regards,
>
> -- daniel
>
> On 19/07/16 15:02, Roger Riggs wrote:
>> Please review the design, implementation, and tests of JEP 290: Filter
>> Incoming Serialization Data[1]
>>
>> It allows incoming streams of object-serialization data to be filtered
>> in order to improve both security and robustness.
>> The JEP[1] has more detail on the background and scope.
>>
>> The core mechanism is a filter interface implemented by serialization
>> clients and set on an |ObjectInputStream|. The filter is called during
>> the deserialization process to validate the classes being deserialized,
>> the sizes of arrays being created, and metrics describing stream length,
>> stream depth, and number of references as the stream is being decoded.
>>
>> A process-wide filter can be configured that is applied to every
>> ObjectInputStream.
>> The API of ObjectInputStream can be used to set a custom filter to
>> supersede or augment the process-wide filter.
>>
>> Webrev:
>> http://cr.openjdk.java.net/~rriggs/webrev-serial-filter-jdk9-8155760/
>>
>> SpecDiff:
>> http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html
>>
>> Javadoc (subset)
>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html
>>
>>
>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html
>>
>>
>>
>> Comments appreciated, Roger
>>
>> [1] JEP 290: https://bugs.openjdk.java.net/browse/JDK-8154961
>>
>
More information about the core-libs-dev
mailing list