RFR: 8273660: De-Serialization Stack is suppressing ClassNotFoundException
Daniel Fuchs
dfuchs at openjdk.java.net
Fri Oct 29 15:09:10 UTC 2021
On Wed, 20 Oct 2021 21:57:29 GMT, Roger Riggs <rriggs at openjdk.org> wrote:
> The ObjectInputStream.GetField method `get(String name, Object val)` should have been throwing
> a ClassNotFoundException if the class was not found. Instead the implementation was returning null.
> A design error does not allow the `get(String name, Object val)` method to throw CNFE as it should.
> However, an exception must be thrown to prevent invalid data from being returned.
> Wrapping the CNFE in IOException allows it to be thrown and the exception handled.
> The call to `get(String name, Object val)` is always from within a `readObject` method
> so the deserialization logic can catch the IOException and unwrap it to handle the CNFE.
src/java.base/share/classes/java/io/ObjectInputStream.java line 2663:
> 2661: ClassNotFoundException ex = handles.lookupException(objHandle);
> 2662: if (ex != null) {
> 2663: // Wrap the exception so it can be handled in GetField.get(String, Object)
I am not sure I understand this comment. We are in `GetField.get(String, Object)`, aren't we?
-------------
PR: https://git.openjdk.java.net/jdk/pull/6053
More information about the core-libs-dev
mailing list