RFR: 8278087: Deserialization filter and filter factory property error reporting under specified [v2]
Lance Andersen
lancea at openjdk.java.net
Thu Dec 16 20:51:59 UTC 2021
On Mon, 6 Dec 2021 16:59:41 GMT, Roger Riggs <rriggs at openjdk.org> wrote:
>> The effects of invalid values of `jdk.serialFilter` and `jdk.serialFilterFactory` properties are
>> incompletely specified. The behavior for invalid values of the properties is different and
>> use an unconventional exception type, `ExceptionInInitializerError` and leave the `OIF.Config` class
>> uninitialized.
>>
>> The exceptions in the `ObjectInputFilter.Config` class initialization caused by invalid values of the two properties,
>> either by system properties supplied on the command line or security properties are logged.
>> The `Config` class marks either or both the filter and filter factory values as unusable
>> and remembers the exception message.
>>
>> Subsequent calls to the methods that get or set the filter or filter factory or create
>> an `ObjectInputStream` throw `java.lang.IllegalStateException` with the remembered exception message.
>> Constructing an `ObjectInputStream` calls both `Config.getSerialFilter` and `Config.getSerialFilterFactory`.
>> The nature of the invalid property is reported as an `IllegalStateException` on first use.
>>
>> This PR supercedes https://github.com/openjdk/jdk/pull/6508 Document that setting an invalid property jdk.serialFilter disables deserialization
>
> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
>
> Address review comments to consistently identify security property names
> and use the correct bug number in the test.
Marked as reviewed by lancea (Reviewer).
-------------
PR: https://git.openjdk.java.net/jdk/pull/6645
More information about the core-libs-dev
mailing list