> JEP 415: Context-specific Deserialization Filters extends the deserialization > filtering mechanisms with more flexible and customizable protections against > malicious deserialization. See JEP 415: https://openjdk.java.net/jeps/415. > The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are > extended with additional > configuration mechanisms and filter utilities. > > javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and > `ObjectInputStream`: > > http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
Roger Riggs has updated the pull request incrementally with two additional commits since the last revision: - Moved utility filter methods to be static on ObjectInputFilter Rearranged the class javadoc of OIF to describe the parts of deserialization filtering, filters, composite filters, and the filter factory. And other review comment updates... - Refactored tests for utility functions to SerialFilterFunctionTest.java Deleted confused Config.allowMaxLimits() method Updated example to match move of methods to Config Added test of restriction on setting the filterfactory after a OIS has been created Additional Editorial updates ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/3996/files - new: https://git.openjdk.java.net/jdk/pull/3996/files/141bf720..9573ae11 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=3996&range=07 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=3996&range=06-07 Stats: 1040 lines in 7 files changed: 533 ins; 397 del; 110 mod Patch: https://git.openjdk.java.net/jdk/pull/3996.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/3996/head:pull/3996 PR: https://git.openjdk.java.net/jdk/pull/3996