Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8277571

Document that setting an invalid property `jdk.serialFilter` disables deserialization

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Withdrawn
    • Fix Version/s: tbd
    • Component/s: core-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      The risk is minimal, it is documenting extended error reporting.
    • Interface Kind:
      Java API, System or security property
    • Scope:
      SE

      Description

      Summary

      Document that an invalid value of system property jdk.serialFilter on the command line prevents use of deserialization until the property is corrected.

      Problem

      The effects of an invalid jdk.serialFilter property are not completely documented. If the value of the system property jdk.serialFilter is invalid, deserialization should not be possible and it should be clear in the specification.

      A java.lang.ExceptionInInitializerError is thrown when creating the filter from the property value. If that exception is caught and ignored, deserialization should not be possible without a filter. The ExceptionInInitializerError prevents the java.io.ObjectInputFilter.Config class from being fully initialized; subsequent references to ObjectInputFilter.Config, including calling it from ObjectInputStream, result in java.lang.NoClassDefFoundError. To give some flexibility in the implementation, an exception should be documented, but not the specific exception.

      Solution

      Specify an implementation specific exception is thrown in the case where deserialization is invoked after an invalid jdk.serialFilter system property value is reported as an ExceptionInInitializerError.

      Specification

      The class javadoc of java.io.ObjectInputFilter.Config is updated:

      --- a/src/java.base/share/classes/java/io/ObjectInputFilter.java
      +++ b/src/java.base/share/classes/java/io/ObjectInputFilter.java
      @@ -524,9 +524,11 @@ public interface ObjectInputFilter {
            * If the system property is not defined, and the {@link java.security.Security} property
            * {@code jdk.serialFilter} is defined then it is used to configure the filter.
            * The filter is created as if {@link #createFilter(String) createFilter} is called;
      -     * if the filter string is invalid, an {@link ExceptionInInitializerError} is thrown.
      -     * Otherwise, the filter is not configured during initialization and
      -     * can be set with {@link #setSerialFilter(ObjectInputFilter) Config.setSerialFilter}.
      +     * if the filter string is invalid, an {@link ExceptionInInitializerError} is thrown
      +     * and the initialization fails; subsequent attempts to use the configuration or
      +     * serialization will fail with an implementation specific exception.
      +     * If the system property {@code jdk.serialFilter} is not set on the command line
      +     * it can be set with {@link #setSerialFilter(ObjectInputFilter) Config.setSerialFilter}.
            * Setting the {@code jdk.serialFilter} with {@link System#setProperty(String, String)
            * System.setProperty} <em>does not set the filter</em>.
            * The syntax for the property value is the same as for the

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              rriggs Roger Riggs
              Reporter:
              kganapureddy Krushnareddy Ganapureddy
              Reviewed By:
              Iris Clark
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: