RFR: 8264859: Implement Context-Specific Deserialization Filters [v3]
Daniel Fuchs
dfuchs at openjdk.java.net
Thu May 20 19:52:32 UTC 2021
On Thu, 20 May 2021 16:10:11 GMT, Roger Riggs <rriggs at openjdk.org> wrote:
>> JEP 415: Context-specific Deserialization Filters extends the deserialization filtering mechanisms with more flexible and customizable protections against malicious deserialization. See JEP 415: https://openjdk.java.net/jeps/415.
>> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are extended with additional
>> configuration mechanisms and filter utilities.
>>
>> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and `ObjectInputStream`:
>> http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
>
> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
>
> Simplify factory interface to BinaryOperator<ObjectInputFilter> and cleanup the example
src/java.base/share/classes/java/io/ObjectInputStream.java line 201:
> 199: * when a filter is set for a stream.
> 200: * The filter factory determines the filter to be used for each stream based
> 201: * on its inputs, thread context, other filters, or state that is available.
Maybe a link to the ObjectInputFilter API documentation where it is explained what the two filters passed to the factory are in each of these cases should be provided here.
Namely:
- in the constructor, `factory.apply(null, Config.getSerialFilter())` is invoked.
- in `setObjectInputFilter(newfilter)`, `factory.apply(filter, newFilter)` is invoked - where `filter` is the filter that the stream is currently using.
Or maybe link to the constructor and setObjectInputFilter method where this is explained.
src/java.base/share/classes/java/io/ObjectInputStream.java line 204:
> 202: * <li>If a JVM-wide filter factory is not set, a builtin deserialization filter factory
> 203: * provides the {@link Config#getSerialFilter static JVM-wide filter} when invoked from the
> 204: * {@link ObjectInputStream#ObjectInputStream(InputStream) ObjectInputStream constructors}
These two links should be `{@linkplain ...}`
src/java.base/share/classes/java/io/ObjectInputStream.java line 1255:
> 1253: * Returns the serialization filter for this stream.
> 1254: * The filter is the result of invoking the
> 1255: * {@link Config#getSerialFilterFactory() JVM-wide filter factory}
`{@linkplain }`
-------------
PR: https://git.openjdk.java.net/jdk/pull/3996
More information about the core-libs-dev
mailing list