uschindler commented on code in PR #15237:
URL: https://github.com/apache/lucene/pull/15237#discussion_r2384035770
##########
lucene/test-framework/src/java/org/apache/lucene/tests/util/LuceneTestCase.java:
##########
@@ -498,6 +499,14 @@ static int defaultRandomMultiplier() {
LEAVE_TEMPORARY = defaultValue;
}
+ /* Make sure we do not allow Java serialization without custom filters
anywhere while running tests.
+ * We could have activated that already in the test runner Gradle plugin,
but Gradle itsself uses
+ * unfiltered serialization on startup.
+ */
+ static {
+ ObjectInputFilter.Config.setSerialFilter(_ ->
ObjectInputFilter.Status.REJECTED);
Review Comment:
This is something for @rmuir: This early setup in LuceneTestCase makes sure
that no test anywhere or any class loaded after the LTC was initialized is
allowed to do *unfiltered* serialization.
Ideally we would pass `-Djdk.serialFilter=!*` as test runner command line,
but Gradle uses unfiltered serialization on its own child runner setup, so we
delay the "deny all" rule up to initialization of LTC.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
