RFR 9: JEP 290: Filter Incoming Serialization Data
roger.riggs at Oracle.com
Wed Aug 31 14:14:38 UTC 2016
Since the filter is passed information about each object created, a
stateful filter can tabulate
the cumulative size itself if that is a concern.
Also, a stateless filter can be constructed to check a combination of
the total number of objects,
depth, array sizes, and stream size. Since arrays are initialized with
data from the stream,
the stream size provides a practical limit.
On 8/29/16 10:07 PM, Peter Firmstone wrote:
> Include original message
> A quick thought on the array size filter:
> The system creates an array with a size read from the stream.
> If Mallory sends a multidimensional array in the stream, then Mallory can consume all jvm memory without exceeding the array size limit or the stream data limit.
> We also need an array combined length limit.
> Sent from my Samsung device.
More information about the core-libs-dev