RFR: 8264859: Implement Context-Specific Deserialization Filters [v3]
Brent Christian
bchristi at openjdk.java.net
Fri May 21 03:06:34 UTC 2021
On Thu, 20 May 2021 16:10:11 GMT, Roger Riggs <rriggs at openjdk.org> wrote:
>> JEP 415: Context-specific Deserialization Filters extends the deserialization filtering mechanisms with more flexible and customizable protections against malicious deserialization. See JEP 415: https://openjdk.java.net/jeps/415.
>> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are extended with additional
>> configuration mechanisms and filter utilities.
>>
>> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and `ObjectInputStream`:
>> http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
>
> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
>
> Simplify factory interface to BinaryOperator<ObjectInputFilter> and cleanup the example
src/java.base/share/classes/java/io/ObjectInputStream.java line 193:
> 191: * the state.
> 192: *
> 193: * The deserialization filter for a stream is determined in one of the following ways:
Should this line start with a `<p>` ?
-------------
PR: https://git.openjdk.java.net/jdk/pull/3996
More information about the core-libs-dev
mailing list