RFR: 8264859: Implement Context-Specific Deserialization Filters [v5]
Roger Riggs
rriggs at openjdk.java.net
Mon May 24 15:59:00 UTC 2021
On Mon, 24 May 2021 10:23:01 GMT, Chris Hegarty <chegar at openjdk.org> wrote:
>> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Editorial javadoc updated based on review comments.
>> Clarified behavior of rejectUndecidedClass method.
>> Example test added to check status returned from file.
>
> src/java.base/share/classes/java/io/ObjectInputFilter.java line 770:
>
>> 768: /**
>> 769: * Returns a filter that returns {@code Status.ALLOWED} if the predicate on the class is {@code true},
>> 770: * otherwise the {@code otherStatus}.
>
> I originally overlooked the fact that UNDECIDED can be returned by these filters. Would it be clearer to drop "otherwise the otherStatus" ?? I also wonder if otherStatus carries its own weight? How useful is it to return an otherStatus that is not UNDECIDED?
A filter author may prefer to return REJECTED if the predicate fails.
It gives the developer control on when UNDECIDED values can be part of a filter expression.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3996
More information about the core-libs-dev
mailing list