On Fri, 28 May 2021 15:43:14 GMT, Daniel Fuchs <dfu...@openjdk.org> wrote:
>> Roger Riggs has updated the pull request with a new target base due to a >> merge or a rebase. The incremental webrev excludes the unrelated changes >> brought in by the merge/rebase. The pull request contains 13 additional >> commits since the last revision: >> >> - Merge branch 'master' into 8264859-context-filter-factory >> - Added test for rejectUndecidedClass array cases >> Added test for preventing disabling filter factory >> Test cleanup >> - Editorial updates to review comments. >> Simplify the builtin filter factory implementation. >> Add atomic update to setting the filter factory. >> Clarify the description of OIS.setObjectInputFilter. >> Cleanup of the example code. >> - Editorial updates >> Updated java.security properties to include jdk.serialFilterFactory >> Added test cases to SerialFilterFactoryTest for java.security properties >> and >> enabling of the SecurityManager with existing policy permission files >> Corrected a test that OIS.setObjectInputFilter could not be called twice. >> Removed a Factory test that was not intended to be committed >> - Moved utility filter methods to be static on ObjectInputFilter >> Rearranged the class javadoc of OIF to describe the parts of >> deserialization filtering, filters, composite filters, and the filter >> factory. >> And other review comment updates... >> - Refactored tests for utility functions to SerialFilterFunctionTest.java >> Deleted confused Config.allowMaxLimits() method >> Updated example to match move of methods to Config >> Added test of restriction on setting the filterfactory after a OIS has >> been created >> Additional Editorial updates >> - Move merge and rejectUndecidedClass methods to OIF.Config >> As default methods on OIF, their implementations were not concrete and >> not trustable >> - Review suggestions included; >> Added @implSpec for default methods in OIF; >> Added restriction that the filter factory cannot be set after an >> ObjectInputStream has been created and applied the current filter factory >> - Editorial javadoc updated based on review comments. >> Clarified behavior of rejectUndecidedClass method. >> Example test added to check status returned from file. >> - Editorial updates to review comments >> Add filter tracing support >> - ... and 3 more: >> https://git.openjdk.java.net/jdk/compare/0c26d863...0930f0f8 > > src/java.base/share/classes/java/io/ObjectInputFilter.java line 396: > >> 394: * are {@code REJECTED}. Either the class is not {@code ALLOWED} or >> 395: * if the class is an array and the base component type is not >> allowed, >> 396: * otherwise the result is {@code UNDECIDED}. > > Is there some part of the sentence missing here? I don't fully understand the > "Either, or, otherwise" construct. There is an extra "if" at line 395. it should be a more readable version of the list below implementing checkfilter. If it does not aid in understanding, it can be removed. ------------- PR: https://git.openjdk.java.net/jdk/pull/3996
