RFR: 8264859: Implement Context-Specific Deserialization Filters [v7]
Chris Hegarty
chegar at openjdk.java.net
Tue May 25 10:18:34 UTC 2021
On Mon, 24 May 2021 21:57:50 GMT, Roger Riggs <rriggs at openjdk.org> wrote:
>> JEP 415: Context-specific Deserialization Filters extends the deserialization filtering mechanisms with more flexible and customizable protections against malicious deserialization. See JEP 415: https://openjdk.java.net/jeps/415.
>> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are extended with additional
>> configuration mechanisms and filter utilities.
>>
>> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and `ObjectInputStream`:
>> http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
>
> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
>
> Move merge and rejectUndecidedClass methods to OIF.Config
> As default methods on OIF, their implementations were not concrete and not trustable
The conf/security/java.security file will need to be updated as part of this change. It does not have an entry for the factory property, and also its description of jdk.serialFilter will be no longer accurate - since filter set by jdk.serialFilter may no longer have any impact on OIS, if a filter factory is specified as either a system property or security property.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3996
More information about the core-libs-dev
mailing list