< prev index next >
src/java.base/share/classes/java/io/ObjectInputFilter.java
Print this page
rev 49438 : 8197595: Serialization javadoc should link to security best practices
Reviewed-by: lancea, sean, ahgross
@@ -36,10 +36,19 @@
import jdk.internal.misc.SharedSecrets;
/**
* Filter classes, array lengths, and graph metrics during deserialization.
+ *
+ * <p><strong>Warning: Deserialization of untrusted data is inherently dangerous
+ * and should be avoided. Untrusted data should be carefully validated according to the
+ * "Serialization and Deserialization" section of the
+ * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}.
+ * {@extLink serialization_filter_guide Serialization Filtering} describes best
+ * practices for defensive use of serial filters.
+ * </strong></p>
+ *
* If set on an {@link ObjectInputStream}, the {@link #checkInput checkInput(FilterInfo)}
* method is called to validate classes, the length of each array,
* the number of objects being read from the stream, the depth of the graph,
* and the total number of bytes read from the stream.
* <p>
< prev index next >