RFR: 8264859: Implement Context-Specific Deserialization Filters [v3]
Roger Riggs
rriggs at openjdk.java.net
Fri May 21 16:30:02 UTC 2021
On Thu, 20 May 2021 19:04:25 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:
>> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Simplify factory interface to BinaryOperator<ObjectInputFilter> and cleanup the example
>
> src/java.base/share/classes/java/io/ObjectInputFilter.java line 1139:
>
>> 1137: * and not classes.
>> 1138: */
>> 1139: private static class AllowMaxLimitsFilter implements ObjectInputFilter {
>
> This class is maybe misnamed. If limitCheck == REJECTED it will not allow max limits. Or am I missing something?
Rejection always wins in the larger scheme of things; another filter may reject based on other limits.
In the composition of filters, any UNDECIDED results must eventually be decided.
This filter maps, for a limit check, the UNDECIDED to allowed; it does nothing for checks for classes.
Other names considered, allowUnlimited(). Also, not guaranteed.
Perhaps, something in the xxxElseYyy family. Will reconsider the name.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3996
More information about the core-libs-dev
mailing list