Re: RFR: 8264859: Implement Context-Specific Deserialization Filters [v3]

Thu, 20 May 2021 12:54:00 -0700 

On Thu, 20 May 2021 16:10:11 GMT, Roger Riggs <rri...@openjdk.org> wrote:

>> JEP 415: Context-specific Deserialization Filters extends the 
>> deserialization filtering mechanisms with more flexible and customizable 
>> protections against malicious deserialization.  See JEP 415: 
>> https://openjdk.java.net/jeps/415.
>> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are 
>> extended with additional
>> configuration mechanisms and filter utilities.
>> 
>> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and 
>> `ObjectInputStream`:
>>     
>> http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
>
> Roger Riggs has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   Simplify factory interface to BinaryOperator<ObjectInputFilter> and cleanup 
> the example

src/java.base/share/classes/java/io/ObjectInputStream.java line 201:

> 199:  *     when a filter is set for a stream.
> 200:  *     The filter factory determines the filter to be used for each 
> stream based
> 201:  *     on its inputs, thread context, other filters, or state that is 
> available.

Maybe a link to the ObjectInputFilter API documentation where it is explained 
what the two filters passed to the factory are in each of these cases should be 
provided here.

Namely: 

- in the constructor, `factory.apply(null, Config.getSerialFilter())` is 
invoked.
- in `setObjectInputFilter(newfilter)`, `factory.apply(filter, newFilter)` is 
invoked - where `filter` is the filter that the stream is currently using.

Or maybe link to the constructor and setObjectInputFilter method where this is 
explained.

src/java.base/share/classes/java/io/ObjectInputStream.java line 204:

> 202:  * <li>If a JVM-wide filter factory is not set, a builtin 
> deserialization filter factory
> 203:  *     provides the {@link Config#getSerialFilter static JVM-wide 
> filter} when invoked from the
> 204:  *     {@link ObjectInputStream#ObjectInputStream(InputStream) 
> ObjectInputStream constructors}

These two links should be `{@linkplain ...}`

src/java.base/share/classes/java/io/ObjectInputStream.java line 1255:

> 1253:      * Returns the serialization filter for this stream.
> 1254:      * The filter is the result of invoking the
> 1255:      * {@link Config#getSerialFilterFactory() JVM-wide filter factory}

`{@linkplain }`

-------------

PR: https://git.openjdk.java.net/jdk/pull/3996

Reply via email to