RFR 9: JEP 290: Filter Incoming Serialization Data
chris.hegarty at oracle.com
Mon Jul 25 14:54:03 UTC 2016
Mainly looks good. Some comments on the spec:
- Use the Present Simple Tense consistently, e.g.
"Return*S* an ObjectInputFilter computed from a string of patterns."
- ObjectInputFilter. Was there a comment already on the use of links?
For example the following is showing in the javadoc:
when "setObjectInputFilter" would be better.
Same comment applies to the links to ObjectInputFilter.Status, and
- ObjectInputFilter class description. "If set on an
ObjectInputStream, the method*(s)* are called ..."
- Looking at the example in the ObjectInputFilter class description
makes me think that maybe the default process-wide filter should
be a filter that simply returns UNDECIDED, rather than being null.
Is it important to discern whether, or not, it has been set?
The initial sentence in the class description should describe the
class itself, so maybe " A utility class for ..."
- "process-wide" is this an agreed upon term? I'm just curious where
it came from. Is there a more common term for this?
- Config.setSerialFilter: SecurityException - if there is security
manager and the SerializablePermission("serialFilter") is not
granted or if there is no securityManager set and the process-wide
filter has already been set non-null
It is a little odd to throw a SE if there is no SM, no ?
- Is there a class/package level statement covering null, or should
it be covered for each applicable method?
"... the serialization filter for the stream." ->
"... the serialization filter for THIS stream."
- setObjectInputFilter: "The checkInput method is called for each
class and reference in the stream". Does this apply to back
- setObjectInputFilter: "... when the ObjectInputStream is constructed
and CANNOT be re-set until an object has been deserialized."
On 19/07/16 15:02, Roger Riggs wrote:
> Please review the design, implementation, and tests of JEP 290: Filter
> Incoming Serialization Data
> It allows incoming streams of object-serialization data to be filtered
> in order to improve both security and robustness.
> The JEP has more detail on the background and scope.
> The core mechanism is a filter interface implemented by serialization
> clients and set on an |ObjectInputStream|. The filter is called during
> the deserialization process to validate the classes being deserialized,
> the sizes of arrays being created, and metrics describing stream length,
> stream depth, and number of references as the stream is being decoded.
> A process-wide filter can be configured that is applied to every
> The API of ObjectInputStream can be used to set a custom filter to
> supersede or augment the process-wide filter.
> Javadoc (subset)
> Comments appreciated, Roger
>  JEP 290: https://bugs.openjdk.java.net/browse/JDK-8154961
More information about the core-libs-dev