On Wed, 26 May 2021 16:48:53 GMT, Roger Riggs <rri...@openjdk.org> wrote:
>> JEP 415: Context-specific Deserialization Filters extends the >> deserialization filtering mechanisms with more flexible and customizable >> protections against malicious deserialization. See JEP 415: >> https://openjdk.java.net/jeps/415. >> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are >> extended with additional >> configuration mechanisms and filter utilities. >> >> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and >> `ObjectInputStream`: >> >> http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html > > Roger Riggs has updated the pull request incrementally with one additional > commit since the last revision: > > Editorial updates to review comments. > Simplify the builtin filter factory implementation. > Add atomic update to setting the filter factory. > Clarify the description of OIS.setObjectInputFilter. > Cleanup of the example code. test/jdk/java/io/Serializable/serialFilter/SerialFilterFactoryTest.java line 328: > 326: public void current(ObjectInputFilter current) { > 327: this.current = current; > 328: } Is this current() used anywhere ? test/jdk/java/io/Serializable/serialFilter/SerialFilterFactoryTest.java line 332: > 330: public void next(ObjectInputFilter next) { > 331: this. next = next; > 332: } Is this next() used anywhere ? ------------- PR: https://git.openjdk.java.net/jdk/pull/3996
