17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.io;
27
28 import java.security.AccessController;
29 import java.security.PrivilegedAction;
30 import java.security.Security;
31 import java.util.ArrayList;
32 import java.util.List;
33 import java.util.Objects;
34 import java.util.Optional;
35 import java.util.function.Function;
36
37 import jdk.internal.misc.SharedSecrets;
38
39 /**
40 * Filter classes, array lengths, and graph metrics during deserialization.
41 *
42 * <p><strong>Warning: Deserialization of untrusted data is inherently dangerous
43 * and should be avoided. Untrusted data should be carefully validated according to the
44 * "Serialization and Deserialization" section of the
45 * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}.
46 * {@extLink serialization_filter_guide Serialization Filtering} describes best
47 * practices for defensive use of serial filters.
48 * </strong></p>
49 *
50 * If set on an {@link ObjectInputStream}, the {@link #checkInput checkInput(FilterInfo)}
51 * method is called to validate classes, the length of each array,
52 * the number of objects being read from the stream, the depth of the graph,
53 * and the total number of bytes read from the stream.
54 * <p>
55 * A filter can be set via {@link ObjectInputStream#setObjectInputFilter setObjectInputFilter}
56 * for an individual ObjectInputStream.
57 * A filter can be set via {@link Config#setSerialFilter(ObjectInputFilter) Config.setSerialFilter}
|
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.io;
27
28 import java.security.AccessController;
29 import java.security.PrivilegedAction;
30 import java.security.Security;
31 import java.util.ArrayList;
32 import java.util.List;
33 import java.util.Objects;
34 import java.util.Optional;
35 import java.util.function.Function;
36
37 import jdk.internal.access.SharedSecrets;
38
39 /**
40 * Filter classes, array lengths, and graph metrics during deserialization.
41 *
42 * <p><strong>Warning: Deserialization of untrusted data is inherently dangerous
43 * and should be avoided. Untrusted data should be carefully validated according to the
44 * "Serialization and Deserialization" section of the
45 * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}.
46 * {@extLink serialization_filter_guide Serialization Filtering} describes best
47 * practices for defensive use of serial filters.
48 * </strong></p>
49 *
50 * If set on an {@link ObjectInputStream}, the {@link #checkInput checkInput(FilterInfo)}
51 * method is called to validate classes, the length of each array,
52 * the number of objects being read from the stream, the depth of the graph,
53 * and the total number of bytes read from the stream.
54 * <p>
55 * A filter can be set via {@link ObjectInputStream#setObjectInputFilter setObjectInputFilter}
56 * for an individual ObjectInputStream.
57 * A filter can be set via {@link Config#setSerialFilter(ObjectInputFilter) Config.setSerialFilter}
|