RFR: 8273660: De-Serialization Stack is suppressing ClassNotFoundException [v2]
Roger Riggs
rriggs at openjdk.java.net
Fri Oct 29 15:35:50 UTC 2021
> The ObjectInputStream.GetField method `get(String name, Object val)` should have been throwing
> a ClassNotFoundException if the class was not found. Instead the implementation was returning null.
> A design error does not allow the `get(String name, Object val)` method to throw CNFE as it should.
> However, an exception must be thrown to prevent invalid data from being returned.
> Wrapping the CNFE in IOException allows it to be thrown and the exception handled.
> The call to `get(String name, Object val)` is always from within a `readObject` method
> so the deserialization logic can catch the IOException and unwrap it to handle the CNFE.
Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
Correct comment on the handling of ClassNotFoundException
-------------
Changes:
- all: https://git.openjdk.java.net/jdk/pull/6053/files
- new: https://git.openjdk.java.net/jdk/pull/6053/files/bc467cab..438548e9
Webrevs:
- full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6053&range=01
- incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6053&range=00-01
Stats: 2 lines in 1 file changed: 1 ins; 0 del; 1 mod
Patch: https://git.openjdk.java.net/jdk/pull/6053.diff
Fetch: git fetch https://git.openjdk.java.net/jdk pull/6053/head:pull/6053
PR: https://git.openjdk.java.net/jdk/pull/6053
More information about the core-libs-dev
mailing list