On Mon, 12 Oct 2020 13:47:46 GMT, Chris Hegarty <che...@openjdk.org> wrote:
> TL;DR add EnumSet::readObjectNoData() > > EnumSet is an exemplar of the Serialization Proxy Pattern. As such, it > should strictly implement that pattern and demonstrate how best to > defend against inappropriate instantiation through deserialization. > > EnumSet is an extensible class. There are two subclasses in the JDK, > RegularEnumSet and JumboEnumSet. Since the serialization of an EnumSet > object writes a replacement object to the serial stream, a serial proxy > object, then stream objects of type RegularEnumSet or JumboEnumSet are > not expected in the serial stream. However, if they are present in the > serial stream, then, during deserialization, the EnumSet::readObject > method will be invoked. EnumSet::readObject unconditionally throws an > exception, thus preventing further deserialization of the stream object. > In this way, stream objects that are subclasses of EnumSet are prevented > from being instantiated through deserialization. But this is not > sufficient to prevent such in all scenarios. > > A stream object whose local class equivalent of the specified stream > class descriptor is a subclasses of EnumSet, but whose specified stream > class descriptor does not list EnumSet as a superClass, may be > instantiated through deserialization. Since the stream class descriptor > does not list EnumSet as a superclass, then the defensive > EnumSet::readObject is never invoked. To prevent such objects from > being deserialized, an EnumSet::readObjectNoData() should be added - > whose implementation unconditionally throws an exception, similar to > that of the existing EnumSet::readObject. Marked as reviewed by smarks (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/611