RFR 9: JEP 290: Filter Incoming Serialization Data

Daniel Fuchs daniel.fuchs at oracle.com
Wed Jul 27 13:15:36 UTC 2016 

Hi Roger,

ObjectInputStream.java:

  179  * If a {@link #setObjectInputFilter(ObjectInputFilter) filter is set}

  184  * A {@link 
ObjectInputFilter.Config#setSerialFilter(ObjectInputFilter) process-wide 
filter}

these two lines should be using {@linkplain, not {@link.

  308     private ObjectInputFilter serialFilter;

This field is supposed to be set only once. We can't use final
because we may not know its value right at construction time, so
the setter tries to do its best to ensure that the field is not
changed after serialization has begun.
To improve that and make it more 'final-like' I would make this
field volatile and the setter synchronized.

best regards,

-- daniel


On 26/07/16 18:57, Roger Riggs wrote:
> Hi,
>
> Updated the specdiff and javadoc with SerializablePermission and misc
> editorial cleanups.
>
> SpecDiff:
> http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html
>
> Javadoc (subset)
> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html
>
> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html
>
> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/SerializablePermission.html
>
>
> Also, noticed that a filter could not distinguish between a reference to
> an array class and
> the callback to check the size of a zero length array (size == 0).
> Modified the
> range of the size to be positive when creating an array and otherwise
> negative.
>
> Webrev:
> http://cr.openjdk.java.net/~rriggs/webrev-serial-filter-jdk9-8155760/
>
> Roger
>
>
> On 7/26/2016 12:34 PM, Roger Riggs wrote:
>> Hi Chris,
>>
>> yes, its in the webrev, but I neglected to include it in the javadoc
>> and specdiff updates.
>>
>> Thanks, Roger
>>
>>
>> On 7/26/2016 12:20 PM, Chris Hegarty wrote:
>>> Another final thought that just occurred to me…
>>>
>>> java.io.SerializablePermission will need its class-level javadoc
>>> updated to
>>> include the new permission target name.
>>>
>>> -Chris.
>>>
>>>> On 25 Jul 2016, at 19:55, Roger Riggs <Roger.Riggs at oracle.com> wrote:
>>>>
>>>> Hi Chris,
>>>>
>>>> Thanks for the review and comments,
>>>>
>>>> Updates in place:
>>>>
>>>> Webrev:
>>>> http://cr.openjdk.java.net/~rriggs/webrev-serial-filter-jdk9-8155760/
>>>>
>>>> SpecDiff:
>>>> http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html
>>>>
>>>> Javadoc (subset)
>>>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html
>>>>
>>>>
>>>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html
>>>>
>>>>
>

More information about the core-libs-dev mailing list