RFR: 8264859: Implement Context-Specific Deserialization Filters [v8]
Roger Riggs
rriggs at openjdk.java.net
Tue May 25 15:46:37 UTC 2021
> JEP 415: Context-specific Deserialization Filters extends the deserialization filtering mechanisms with more flexible and customizable protections against malicious deserialization. See JEP 415: https://openjdk.java.net/jeps/415.
> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are extended with additional
> configuration mechanisms and filter utilities.
>
> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and `ObjectInputStream`:
> http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
Roger Riggs has updated the pull request incrementally with two additional commits since the last revision:
- Moved utility filter methods to be static on ObjectInputFilter
Rearranged the class javadoc of OIF to describe the parts of
deserialization filtering, filters, composite filters, and the filter factory.
And other review comment updates...
- Refactored tests for utility functions to SerialFilterFunctionTest.java
Deleted confused Config.allowMaxLimits() method
Updated example to match move of methods to Config
Added test of restriction on setting the filterfactory after a OIS has been created
Additional Editorial updates
-------------
Changes:
- all: https://git.openjdk.java.net/jdk/pull/3996/files
- new: https://git.openjdk.java.net/jdk/pull/3996/files/141bf720..9573ae11
Webrevs:
- full: https://webrevs.openjdk.java.net/?repo=jdk&pr=3996&range=07
- incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=3996&range=06-07
Stats: 1040 lines in 7 files changed: 533 ins; 397 del; 110 mod
Patch: https://git.openjdk.java.net/jdk/pull/3996.diff
Fetch: git fetch https://git.openjdk.java.net/jdk pull/3996/head:pull/3996
PR: https://git.openjdk.java.net/jdk/pull/3996
More information about the core-libs-dev
mailing list