On Mon, 6 Dec 2021 04:30:16 GMT, Jaikiran Pai <j...@openjdk.org> wrote:
>> The effects of invalid values of `jdk.serialFilter` and >> `jdk.serialFilterFactory` properties are >> incompletely specified. The behavior for invalid values of the properties is >> different and >> use an unconventional exception type, `ExceptionInInitializerError` and >> leave the `OIF.Config` class >> uninitialized. >> >> The exceptions in the `ObjectInputFilter.Config` class initialization caused >> by invalid values of the two properties, >> either by system properties supplied on the command line or security >> properties are logged. >> The `Config` class marks either or both the filter and filter factory values >> as unusable >> and remembers the exception message. >> >> Subsequent calls to the methods that get or set the filter or filter factory >> or create >> an `ObjectInputStream` throw `java.lang.IllegalStateException` with the >> remembered exception message. >> Constructing an `ObjectInputStream` calls both `Config.getSerialFilter` and >> `Config.getSerialFilterFactory`. >> The nature of the invalid property is reported as an `IllegalStateException` >> on first use. >> >> This PR supercedes https://github.com/openjdk/jdk/pull/6508 Document that >> setting an invalid property jdk.serialFilter disables deserialization > > src/java.base/share/classes/java/io/ObjectInputFilter.java line 532: > >> 530: * invalid serial filter. >> 531: * If the system property {@code jdk.serialFilter} or the {@link >> java.security.Security} >> 532: * property is not set the filter can be set with > >> or the {@link java.security.Security} property is not set the filter can be >> set ... > > Is it intentional that the name of security property is left out here? > Perhaps this should be: > `or the {@link java.security.Security} property {@code jdk.serialFilter} is > not set the filter ....` > > or even: > > `or the {@link java.security.Security} property of the same name is not set > the filter....` Yes, for consistency, the first suggestion. ------------- PR: https://git.openjdk.java.net/jdk/pull/6645
