RFR: 8264859: Implement Context-Specific Deserialization Filters [v3]
Roger Riggs
rriggs at openjdk.java.net
Mon May 24 23:02:15 UTC 2021
On Fri, 21 May 2021 16:26:46 GMT, Roger Riggs <rriggs at openjdk.org> wrote:
>> src/java.base/share/classes/java/io/ObjectInputFilter.java line 1139:
>>
>>> 1137: * and not classes.
>>> 1138: */
>>> 1139: private static class AllowMaxLimitsFilter implements ObjectInputFilter {
>>
>> This class is maybe misnamed. If limitCheck == REJECTED it will not allow max limits. Or am I missing something?
>
> Rejection always wins in the larger scheme of things; another filter may reject based on other limits.
> In the composition of filters, any UNDECIDED results must eventually be decided.
> This filter maps, for a limit check, the UNDECIDED to allowed; it does nothing for checks for classes.
> Other names considered, allowUnlimited(). Also, not guaranteed.
> Perhaps, something in the xxxElseYyy family. Will reconsider the name.
The allowMaxLimitsFilter will removed, its definition is confusing and it is not clear how it would be used.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3996
More information about the core-libs-dev
mailing list