RFR: 8273660: De-Serialization Stack is suppressing ClassNotFoundException [v2]
Naoto Sato
naoto at openjdk.java.net
Fri Oct 29 16:18:10 UTC 2021
On Fri, 29 Oct 2021 15:35:50 GMT, Roger Riggs <rriggs at openjdk.org> wrote:
>> The ObjectInputStream.GetField method `get(String name, Object val)` should have been throwing
>> a ClassNotFoundException if the class was not found. Instead the implementation was returning null.
>> A design error does not allow the `get(String name, Object val)` method to throw CNFE as it should.
>> However, an exception must be thrown to prevent invalid data from being returned.
>> Wrapping the CNFE in IOException allows it to be thrown and the exception handled.
>> The call to `get(String name, Object val)` is always from within a `readObject` method
>> so the deserialization logic can catch the IOException and unwrap it to handle the CNFE.
>
> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
>
> Correct comment on the handling of ClassNotFoundException
Marked as reviewed by naoto (Reviewer).
-------------
PR: https://git.openjdk.java.net/jdk/pull/6053
More information about the core-libs-dev
mailing list