Will do,  thanks, Roger

On 7/20/2016 10:22 AM, Daniel Fuchs wrote:
Hi Roger,

3901     /**
3902      * Method for getting the array size for any array.
3903      */
3904     private static int arrayLength(Object array) {

why not using java.lang.reflect.Array::getLength?

best regards,

-- daniel

On 19/07/16 15:02, Roger Riggs wrote:
Please review the design, implementation, and tests of JEP 290: Filter
Incoming Serialization Data[1]

It allows incoming streams of object-serialization data to be filtered
in order to improve both security and robustness.
The JEP[1] has more detail on the background and scope.

The core mechanism is a filter interface implemented by serialization
clients and set on an |ObjectInputStream|. The filter is called during
the deserialization process to validate the classes being deserialized,
the sizes of arrays being created, and metrics describing stream length,
stream depth, and number of references as the stream is being decoded.

A process-wide filter can be configured that is applied to every
ObjectInputStream.
The API of ObjectInputStream can be used to set a custom filter to
supersede or augment the process-wide filter.

Webrev:
http://cr.openjdk.java.net/~rriggs/webrev-serial-filter-jdk9-8155760/

SpecDiff:
http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html

Javadoc (subset)
http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html

http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html


Comments appreciated, Roger

[1] JEP 290:   https://bugs.openjdk.java.net/browse/JDK-8154961



Reply via email to