> JEP 415: Context-specific Deserialization Filters extends the deserialization > filtering mechanisms with more flexible and customizable protections against > malicious deserialization. See JEP 415: https://openjdk.java.net/jeps/415. > The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are > extended with additional > configuration mechanisms and filter utilities. > > javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and > `ObjectInputStream`: > > http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
Roger Riggs has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 15 additional commits since the last revision: - Added protections to aid in auditing of filter and filter factory to ensure effective filtering and compatibility with previous releases. Fixed a bug in allow/rejectFilter() Cleanup of error stages and messages related setting filter factory with Config.setSerialFilterFactory. Updated tests to match. - Merge branch 'master' into 8264859-context-filter-factory - Merge branch 'master' into 8264859-context-filter-factory - Added test for rejectUndecidedClass array cases Added test for preventing disabling filter factory Test cleanup - Editorial updates to review comments. Simplify the builtin filter factory implementation. Add atomic update to setting the filter factory. Clarify the description of OIS.setObjectInputFilter. Cleanup of the example code. - Editorial updates Updated java.security properties to include jdk.serialFilterFactory Added test cases to SerialFilterFactoryTest for java.security properties and enabling of the SecurityManager with existing policy permission files Corrected a test that OIS.setObjectInputFilter could not be called twice. Removed a Factory test that was not intended to be committed - Moved utility filter methods to be static on ObjectInputFilter Rearranged the class javadoc of OIF to describe the parts of deserialization filtering, filters, composite filters, and the filter factory. And other review comment updates... - Refactored tests for utility functions to SerialFilterFunctionTest.java Deleted confused Config.allowMaxLimits() method Updated example to match move of methods to Config Added test of restriction on setting the filterfactory after a OIS has been created Additional Editorial updates - Move merge and rejectUndecidedClass methods to OIF.Config As default methods on OIF, their implementations were not concrete and not trustable - Review suggestions included; Added @implSpec for default methods in OIF; Added restriction that the filter factory cannot be set after an ObjectInputStream has been created and applied the current filter factory - ... and 5 more: https://git.openjdk.java.net/jdk/compare/1325f0b0...6d07298f ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/3996/files - new: https://git.openjdk.java.net/jdk/pull/3996/files/0930f0f8..6d07298f Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=3996&range=12 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=3996&range=11-12 Stats: 27002 lines in 388 files changed: 3591 ins; 22765 del; 646 mod Patch: https://git.openjdk.java.net/jdk/pull/3996.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/3996/head:pull/3996 PR: https://git.openjdk.java.net/jdk/pull/3996
