On Tue, 25 May 2021 21:45:33 GMT, Roger Riggs <rri...@openjdk.org> wrote:
>> JEP 415: Context-specific Deserialization Filters extends the >> deserialization filtering mechanisms with more flexible and customizable >> protections against malicious deserialization. See JEP 415: >> https://openjdk.java.net/jeps/415. >> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are >> extended with additional >> configuration mechanisms and filter utilities. >> >> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and >> `ObjectInputStream`: >> >> http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html > > Roger Riggs has updated the pull request incrementally with one additional > commit since the last revision: > > Editorial updates > Updated java.security properties to include jdk.serialFilterFactory > Added test cases to SerialFilterFactoryTest for java.security properties and > enabling of the SecurityManager with existing policy permission files > Corrected a test that OIS.setObjectInputFilter could not be called twice. > Removed a Factory test that was not intended to be committed src/java.base/share/classes/java/io/ObjectInputFilter.java line 513: > 511: * the static JVM-wide filter, or to create a filter from a pattern > string. > 512: * The static filter factory and the static filter apply to the > whole Java runtime, > 513: * or "JVM-wide", there is only one of each, for a complete > description of Suggest new sentence after "_...there is only one of each. For a complete..._" src/java.base/share/classes/java/io/ObjectInputFilter.java line 551: > 549: final class Config { > 550: /** > 551: * Lock object for filter and filter factory. The lock is not used for the filter factory, is it? src/java.base/share/classes/java/io/ObjectInputFilter.java line 768: > 766: * This package private method is *only* called by {@link > ObjectInputStream#ObjectInputStream()} > 767: * and {@link ObjectInputStream#ObjectInputStream(InputStream)}. > 768: * {@link ObjectInputFilter.Config#serialFilterFactory} does the > enforcement. Is this still true about the enforcement? src/java.base/share/classes/java/io/ObjectInputFilter.java line 1251: > 1249: * Returns REJECTED if either of the filters returns > REJECTED, > 1250: * otherwise, ALLOWED if either of the filters returns > ALLOWED. > 1251: * otherwise, returns {@code UNDECIDED}. Capitalize "Otherwise" src/java.base/share/classes/java/io/ObjectInputFilter.java line 1256: > 1254: * @return REJECTED if either of the filters returns > REJECTED, > 1255: * otherwise, ALLOWED if either of the filters > returns ALLOWED. > 1256: * otherwise, returns {@code UNDECIDED}. Otherwise ------------- PR: https://git.openjdk.java.net/jdk/pull/3996
