Re: RFR: 8264859: Implement Context-Specific Deserialization Filters [v7]

Tue, 25 May 2021 14:30:13 -0700 

On Tue, 25 May 2021 11:18:15 GMT, Chris Hegarty <che...@openjdk.org> wrote:

>> Roger Riggs has updated the pull request incrementally with one additional 
>> commit since the last revision:
>> 
>>   Move merge and rejectUndecidedClass methods to OIF.Config
>>   As default methods on OIF, their implementations were not concrete and not 
>> trustable
>
> src/java.base/share/classes/java/io/ObjectInputFilter.java line 400:
> 
>> 398:      * {@link BinaryOperator {@literal 
>> BinaryOperator<ObjectInputFilter>}} interface, provide its implementation and
>> 399:      * be accessible via the {@linkplain 
>> ClassLoader#getSystemClassLoader() application class loader}.
>> 400:      * The filter factory configured using the system or security 
>> property during initialization
> 
> What is the expected behaviour if the factory property is to set to a 
> non-class or non-accessible class? The current implementation does (it 
> probably should be more graceful) :
> 
> $ java -Djdk.serialFilterFactory=allow T
> Exception in thread "main" java.lang.ExceptionInInitializerError
>       at 
> java.base/java.io.ObjectInputFilter$Config.<clinit>(ObjectInputFilter.java:537)
>       at 
> java.base/java.io.ObjectInputStream.<init>(ObjectInputStream.java:394)
>       at T.main(T.java:5)
> Caused by: java.lang.ClassNotFoundException: allow
>       at 
> java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:636)
>       at 
> java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:182)
>       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:519)
>       at java.base/java.lang.Class.forName0(Native Method)
>       at java.base/java.lang.Class.forName(Class.java:466)
>       at 
> java.base/java.io.ObjectInputFilter$Config.<clinit>(ObjectInputFilter.java:519)
>       ... 2 more

If the factory class can not be found, the exception must be fatal; 
continuing to run without the filter would be a security risk.
ExceptionInInitializerError was the closest I could find.
I'll improve the message;  Oddly, ExceptionInInitializer does not allow both a 
message and initCause().
And the stacktrace for the ClassNotFoundException is not going to be very 
interesting.

-------------

PR: https://git.openjdk.java.net/jdk/pull/3996

Reply via email to