RFR: 8264859: Implement Context-Specific Deserialization Filters [v5]
Chris Hegarty
chegar at openjdk.java.net
Mon May 24 10:31:08 UTC 2021
On Sat, 22 May 2021 20:16:37 GMT, Roger Riggs <rriggs at openjdk.org> wrote:
>> JEP 415: Context-specific Deserialization Filters extends the deserialization filtering mechanisms with more flexible and customizable protections against malicious deserialization. See JEP 415: https://openjdk.java.net/jeps/415.
>> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are extended with additional
>> configuration mechanisms and filter utilities.
>>
>> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and `ObjectInputStream`:
>> http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
>
> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
>
> Editorial javadoc updated based on review comments.
> Clarified behavior of rejectUndecidedClass method.
> Example test added to check status returned from file.
src/java.base/share/classes/java/io/ObjectInputFilter.java line 790:
> 788: * @return {@link Status#ALLOWED} if the predicate on the class returns {@code true},
> 789: * otherwise {@link Status#UNDECIDED}
> 790: */
The return is "a filter that ..."
-------------
PR: https://git.openjdk.java.net/jdk/pull/3996
More information about the core-libs-dev
mailing list