Mercurial Mercurial > jdk-sandbox / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
src/java.base/share/classes/java/io/ObjectInputFilter.java
changeset 49438 879cf9f18688
parent 47722 ce6ff74192fc
child 52427 3c6aa484536c 
--- a/src/java.base/share/classes/java/io/ObjectInputFilter.java	Wed Mar 28 14:24:17 2018 +0100
+++ b/src/java.base/share/classes/java/io/ObjectInputFilter.java	Wed Mar 28 14:15:41 2018 -0400
@@ -38,6 +38,15 @@
 
 /**
  * Filter classes, array lengths, and graph metrics during deserialization.
+ *
+ * <p><strong>Warning: Deserialization of untrusted data is inherently dangerous
+ * and should be avoided. Untrusted data should be carefully validated according to the
+ * "Serialization and Deserialization" section of the
+ * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}.
+ * {@extLink serialization_filter_guide Serialization Filtering} describes best
+ * practices for defensive use of serial filters.
+ * </strong></p>
+ *
  * If set on an {@link ObjectInputStream}, the {@link #checkInput checkInput(FilterInfo)}
  * method is called to validate classes, the length of each array,
  * the number of objects being read from the stream, the depth of the graph,
jdk-sandbox