> JEP 415: Context-specific Deserialization Filters extends the deserialization > filtering mechanisms with more flexible and customizable protections against > malicious deserialization. See JEP 415: https://openjdk.java.net/jeps/415. > The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are > extended with additional > configuration mechanisms and filter utilities. > > javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and > `ObjectInputStream`: > > http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
Roger Riggs has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 13 additional commits since the last revision: - Merge branch 'master' into 8264859-context-filter-factory - Added test for rejectUndecidedClass array cases Added test for preventing disabling filter factory Test cleanup - Editorial updates to review comments. Simplify the builtin filter factory implementation. Add atomic update to setting the filter factory. Clarify the description of OIS.setObjectInputFilter. Cleanup of the example code. - Editorial updates Updated java.security properties to include jdk.serialFilterFactory Added test cases to SerialFilterFactoryTest for java.security properties and enabling of the SecurityManager with existing policy permission files Corrected a test that OIS.setObjectInputFilter could not be called twice. Removed a Factory test that was not intended to be committed - Moved utility filter methods to be static on ObjectInputFilter Rearranged the class javadoc of OIF to describe the parts of deserialization filtering, filters, composite filters, and the filter factory. And other review comment updates... - Refactored tests for utility functions to SerialFilterFunctionTest.java Deleted confused Config.allowMaxLimits() method Updated example to match move of methods to Config Added test of restriction on setting the filterfactory after a OIS has been created Additional Editorial updates - Move merge and rejectUndecidedClass methods to OIF.Config As default methods on OIF, their implementations were not concrete and not trustable - Review suggestions included; Added @implSpec for default methods in OIF; Added restriction that the filter factory cannot be set after an ObjectInputStream has been created and applied the current filter factory - Editorial javadoc updated based on review comments. Clarified behavior of rejectUndecidedClass method. Example test added to check status returned from file. - Editorial updates to review comments Add filter tracing support - ... and 3 more: https://git.openjdk.java.net/jdk/compare/9870b028...0930f0f8 ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/3996/files - new: https://git.openjdk.java.net/jdk/pull/3996/files/19b6aad3..0930f0f8 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=3996&range=11 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=3996&range=10-11 Stats: 44803 lines in 2037 files changed: 20137 ins; 18278 del; 6388 mod Patch: https://git.openjdk.java.net/jdk/pull/3996.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/3996/head:pull/3996 PR: https://git.openjdk.java.net/jdk/pull/3996
