< prev index next >

src/java.base/share/classes/java/io/ObjectInputStream.java

Print this page
rev 49438 : 8197595: Serialization javadoc should link to security best practices
Reviewed-by: lancea, sean, ahgross

*** 50,59 **** --- 50,67 ---- /** * An ObjectInputStream deserializes primitive data and objects previously * written using an ObjectOutputStream. * + * <p><strong>Warning: Deserialization of untrusted data is inherently dangerous + * and should be avoided. Untrusted data should be carefully validated according to the + * "Serialization and Deserialization" section of the + * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}. + * {@extLink serialization_filter_guide Serialization Filtering} describes best + * practices for defensive use of serial filters. + * </strong></p> + * * <p>ObjectOutputStream and ObjectInputStream can provide an application with * persistent storage for graphs of objects when used with a FileOutputStream * and FileInputStream respectively. ObjectInputStream is used to recover * those objects previously serialized. Other uses include passing objects * between hosts using a socket stream or for marshaling and unmarshaling
< prev index next >