Webrev request: JDK-8015081

Wang Weijun weijun.wang at oracle.com
Thu Jun 12 09:40:37 UTC 2014


Why

@@ -968,14 +963,10 @@

         readOnly = gf.get("readOnly", false);
 
         Set<Principal> inputPrincs = (Set<Principal>)gf.get("principals", null);
 
         // Rewrap the principals into a SecureSet

-        if (inputPrincs == null) {
-            throw new NullPointerException
-                (ResourcesMgr.getString("invalid.null.input.s."));
-        }

         try {
             principals = Collections.synchronizedSet(new SecureSet<Principal>
                                 (this, PRINCIPAL_SET, inputPrincs));
         } catch (NullPointerException npe) {
             // Sometimes people deserialize the principals set only.


It looks you accept principals being null in serialized form. (Of course, the new object contains a non-null one).

Thanks
Max

On Jun 12, 2014, at 17:26, Jamil Nimeh <jamil.j.nimeh at oracle.com> wrote:

> Next round: This one incorporates Weijun's comments and cleans up a couple warnings in the test code.
> 
> http://cr.openjdk.java.net/~weijun/8015081/webrev.05/
> 
> --Jamil




More information about the security-dev mailing list