[12] RFR 8193859: Allow user provided ObjectInputFilter in SealedObject and SignedObject

Roger Riggs roger.riggs at oracle.com
Thu Aug 23 14:12:11 UTC 2018 

Hi,

The original basis for the security manager check was to ensure that the 
filter could
not be replaced by untrusted code including code in the classes being 
deserialized
that have access to the ObjectInputStream.

Regards, Roger

On 8/23/18 10:00 AM, Weijun Wang wrote:
> This follows the convention of ObjectInputStream::setObjectInputFilter. IMHO, in that case the caller also creates the filter and it's only set on this input stream.
>
> Maybe we shouldn't have added the permission check there?
>
> Thanks
> Max
>
>> On Aug 23, 2018, at 4:55 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>
>> One thing I am curious about. Is there a reason why getObject(ObjectInputFilter) requires a permission check?
>>
>> In this case, the caller is the one creating the filter and passing it in, so the caller can only cause harm to themselves, and the ObjectInputStream is a local variable which is not returned. This method also does not mutate the contents of the SignedObject (or SealedObject) ... so I don't see the risk here. I think you can just wrap ObjectInputStream.setObjectInputFilter in doPrivileged.
>>
>> --Sean
>>
>> On 8/22/18 2:37 AM, Weijun Wang wrote:
>>> Updated webrev at
>>>     http://cr.openjdk.java.net/~weijun/8193859/webrev.02/
>>> Changes:
>>> 1) More spec change
>>>     - describing the filter in class spec
>>>     - mentioning the system filter in existing getObject() methods
>>>     - add "@throws InvalidClassException" to all getObject() methods
>>> 2) More test cases
>>>     - check SecurityException when a security manager is set
>>>     - set the system filter to see how existing getObject() works
>>> The 2 tests are very similar but they belong to jdk_security1 and jdk_security2. Therefore I haven't combined them.
>>> Thanks
>>> Max
>>>> On Aug 17, 2018, at 10:56 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
>>>>
>>>> Please take a review at the updated webrev at
>>>>
>>>>    http://cr.openjdk.java.net/~weijun/8193859/webrev.01
>>>>
>>>> Changes only in doc, including
>>>>
>>>> 1) The "2018-8-15 updates" in the CSR [1]
>>>>
>>>> 2) formatting
>>>>
>>>> Thanks
>>>> Max
>>>>
>>>> [1] https://bugs.openjdk.java.net/browse/JDK-8193887
>>>>
>>>>> On Aug 14, 2018, at 11:19 PM, Roger Riggs <Roger.Riggs at Oracle.com> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> On 8/14/2018 10:59 AM, Weijun Wang wrote:
>>>>>> s/initial process-wide filter/system filter/?
>>>>> yes
>>>>>
>>>>> Roger
>>>>>
>>>>>> --Max
>>>>>>
>>>>>>> [1]    8202675  Replace process-wide terminology in serial filtering to be consistent
>>>>>>>
>>>>>>> Regards, Roger
>>>>>>>

More information about the security-dev mailing list