RFR: 8264859: Implement Context-Specific Deserialization Filters [v10]
Brent Christian
bchristi at openjdk.java.net
Wed May 26 23:36:11 UTC 2021
On Wed, 26 May 2021 16:48:53 GMT, Roger Riggs <rriggs at openjdk.org> wrote:
>> JEP 415: Context-specific Deserialization Filters extends the deserialization filtering mechanisms with more flexible and customizable protections against malicious deserialization. See JEP 415: https://openjdk.java.net/jeps/415.
>> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are extended with additional
>> configuration mechanisms and filter utilities.
>>
>> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and `ObjectInputStream`:
>> http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
>
> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
>
> Editorial updates to review comments.
> Simplify the builtin filter factory implementation.
> Add atomic update to setting the filter factory.
> Clarify the description of OIS.setObjectInputFilter.
> Cleanup of the example code.
test/jdk/java/io/Serializable/serialFilter/SerialFilterFactoryTest.java line 328:
> 326: public void current(ObjectInputFilter current) {
> 327: this.current = current;
> 328: }
Is this current() used anywhere ?
test/jdk/java/io/Serializable/serialFilter/SerialFilterFactoryTest.java line 332:
> 330: public void next(ObjectInputFilter next) {
> 331: this. next = next;
> 332: }
Is this next() used anywhere ?
-------------
PR: https://git.openjdk.java.net/jdk/pull/3996
More information about the core-libs-dev
mailing list