RFR: 8277322: Document that setting an invalid property `jdk.serialFilter` disables deserialization
Jaikiran Pai
jpai at openjdk.java.net
Tue Nov 23 02:36:09 UTC 2021
On Mon, 22 Nov 2021 19:57:25 GMT, Roger Riggs <rriggs at openjdk.org> wrote:
> The effects of an invalid `jdk.serialFilter` property are not completely documented. If the value of the system property jdk.serialFilter is invalid, deserialization should not be possible and it should be clear in the specification.
>
> Specify an implementation specific exception is thrown in the case where deserialization is invoked after reporting the invalid jdk.serialFilter.
src/java.base/share/classes/java/io/ObjectInputFilter.java line 530:
> 528: * and the initialization fails; subsequent attempts to use the configuration or
> 529: * serialization will fail with an implementation specific exception.
> 530: * If the system property {@code jdk.serialFilter} is not set on the command line
Hello Roger,
Thank you for rearranging these lines. It reads much more clearly. One tiny final question - this new line now states `If the system property {@code jdk.serialFilter} is not set on the command line it can be set with ....`. However, this property if not set on the command line could have instead been set as a `java.security.Security` property (in a file). The javadoc does mention this a few lines back. So do you think this new line should be reworded to something like `If the filter is neither set as a system property on the command line nor as a security property then it can be set with...`
-------------
PR: https://git.openjdk.java.net/jdk/pull/6508
More information about the core-libs-dev
mailing list