RFR: 8264859: Implement Context-Specific Deserialization Filters [v7]

Roger Riggs rriggs at openjdk.java.net
Tue May 25 21:28:40 UTC 2021 

On Tue, 25 May 2021 11:18:15 GMT, Chris Hegarty <chegar at openjdk.org> wrote:

>> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Move merge and rejectUndecidedClass methods to OIF.Config
>>   As default methods on OIF, their implementations were not concrete and not trustable
>
> src/java.base/share/classes/java/io/ObjectInputFilter.java line 400:
> 
>> 398:      * {@link BinaryOperator {@literal BinaryOperator<ObjectInputFilter>}} interface, provide its implementation and
>> 399:      * be accessible via the {@linkplain ClassLoader#getSystemClassLoader() application class loader}.
>> 400:      * The filter factory configured using the system or security property during initialization
> 
> What is the expected behaviour if the factory property is to set to a non-class or non-accessible class? The current implementation does (it probably should be more graceful) :
> 
> $ java -Djdk.serialFilterFactory=allow T
> Exception in thread "main" java.lang.ExceptionInInitializerError
> 	at java.base/java.io.ObjectInputFilter$Config.<clinit>(ObjectInputFilter.java:537)
> 	at java.base/java.io.ObjectInputStream.<init>(ObjectInputStream.java:394)
> 	at T.main(T.java:5)
> Caused by: java.lang.ClassNotFoundException: allow
> 	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:636)
> 	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:182)
> 	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:519)
> 	at java.base/java.lang.Class.forName0(Native Method)
> 	at java.base/java.lang.Class.forName(Class.java:466)
> 	at java.base/java.io.ObjectInputFilter$Config.<clinit>(ObjectInputFilter.java:519)
> 	... 2 more

If the factory class can not be found, the exception must be fatal; 
continuing to run without the filter would be a security risk.
ExceptionInInitializerError was the closest I could find.
I'll improve the message;  Oddly, ExceptionInInitializer does not allow both a message and initCause().
And the stacktrace for the ClassNotFoundException is not going to be very interesting.

-------------

PR: https://git.openjdk.java.net/jdk/pull/3996

More information about the core-libs-dev mailing list