On Tue, 8 Jun 2021 10:32:49 GMT, Roger Riggs <rri...@openjdk.org> wrote:
>> JEP 415: Context-specific Deserialization Filters extends the >> deserialization filtering mechanisms with more flexible and customizable >> protections against malicious deserialization. See JEP 415: >> https://openjdk.java.net/jeps/415. >> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are >> extended with additional >> configuration mechanisms and filter utilities. >> >> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and >> `ObjectInputStream`: >> >> http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html > > Roger Riggs has updated the pull request incrementally with one additional > commit since the last revision: > > Clarified javadoc for rejectUndecidedClass. > Added javadoc to describe throwing of ExceptionInInitializerError if the > class > named by system property jdk.serialFilterFactory is not valid. > Added description of jdk.serialFilterFactory to java.security file. src/java.base/share/classes/java/io/ObjectInputFilter.java line 392: > 390: * Returns a filter that invokes a given filter and maps {@code > UNDECIDED} to {@code REJECTED} > 391: * for classes, with some special cases, and otherwise returns the > status. > 392: * If the class is not a primitive class and not an array, the > status returned is REJECTED. {@code REJECTED} src/java.base/share/classes/java/io/ObjectInputFilter.java line 550: > 548: * be accessible via the {@linkplain > ClassLoader#getSystemClassLoader() application class loader}. > 549: * If the filter factory constructor is not invoked successfully, an > {@link ExceptionInInitializerError} > 550: * is thrown. Should you also say that later attempts to create an `ObjectInputStream` or to call `ObjectInputStream::setObjectInputFilter` will result in an `IllegalStateException`? ------------- PR: https://git.openjdk.java.net/jdk/pull/3996
