Re: Explicit Serialization API and Security

Tue, 06 Jan 2015 09:50:08 -0800 

On 01/06/2015 06:21 PM, Chris Hegarty wrote:

On 6 Jan 2015, at 15:06, Peter Levart <peter.lev...@gmail.com> wrote:


On 01/06/2015 04:03 PM, Peter Levart wrote:

private void readObject(ObjectInputStream in) throws IOException, 
ClassNotFoundException {
        ObjectInputStream.GetField fields = in.readFields(); // this already 
validates the types

Well, not true currently. But type validation could be added at this point.

Right. I think I’ll file a bug to track this as it seems reasonable to add type 
validation to readFields and defaultReadObject. So we can probably 
assume/ignore it in this discussion.

I like the idea of a callback into the serialization framework to handling the 
setting of final fields, after validation. I played a little with your patch 
and added it to a branch in the sandbox**

So a simple example, without legacy fields, might looks as below ( without the 
need for writeObject or serialPersistentFields ). The simple validating 
readObject is starting to look like boilerplate ?
Well, 1st and last line are always the same, yes. What's between them is what you would have to write in a special check-only method too. 

Regards, Peter



public class SimpleInterval implements Serializable {

     private final int lo, hi;

     private static void validate(int lo, int hi) {
         // invariant
         if (lo > hi)
             throw new IllegalArgumentException("lo:" + lo + " > hi:" + hi);
     }

     public SimpleInterval(int lo, int hi) {
         validate(lo, hi);
         this.lo = lo;
         this.hi = hi;
     }

     public int getLo() { return lo; }

     public int getHi() { return hi; }

     private void readObject(ObjectInputStream in) throws IOException, 
ClassNotFoundException {
         ObjectInputStream.GetField fields = in.readFields();

         // validate 'lo' and 'hi' fields invariant
         int lo = fields.get("lo", 0);
         int hi = fields.get("hi", 0);
         validate(lo, hi);

         // set current fields from read data
         fields.defaultReadFields(); // this is new API!
     }
}

-Chris.

** hg clone http://hg.openjdk.java.net/jdk9/sandbox sandbox
     cd sandbox
     sh get_source.sh
     sh common/bin/hgforest.sh update -r serial-exp-branch

     I also added your example, etc, under:
       jdk/test/java/io/Serializable/invarientChecker

     see http://cr.openjdk.java.net/~chegar/docs/sandbox.html

Reply via email to