--- a/jdk/src/java.base/share/classes/java/io/ObjectInputFilter.java Wed Aug 16 13:15:45 2017 -0700
+++ b/jdk/src/java.base/share/classes/java/io/ObjectInputFilter.java Wed Aug 16 16:46:51 2017 -0400
@@ -34,6 +34,7 @@
import java.util.Optional;
import java.util.function.Function;
+import jdk.internal.misc.SharedSecrets;
/**
* Filter classes, array lengths, and graph metrics during deserialization.
@@ -265,6 +266,9 @@
return null;
});
configLog = (configuredFilter != null) ? System.getLogger("java.io.serialization") : null;
+
+ // Setup shared secrets for RegistryImpl to use.
+ SharedSecrets.setJavaObjectInputFilterAccess(Config::createFilter2);
}
/**
@@ -370,7 +374,20 @@
*/
public static ObjectInputFilter createFilter(String pattern) {
Objects.requireNonNull(pattern, "pattern");
- return Global.createFilter(pattern);
+ return Global.createFilter(pattern, true);
+ }
+
+ /**
+ * Returns an ObjectInputFilter from a string of patterns that
+ * checks only the length for arrays, not the component type.
+ *
+ * @param pattern the pattern string to parse; not null
+ * @return a filter to check a class being deserialized;
+ * {@code null} if no patterns
+ */
+ static ObjectInputFilter createFilter2(String pattern) {
+ Objects.requireNonNull(pattern, "pattern");
+ return Global.createFilter(pattern, false);
}
/**
@@ -404,20 +421,26 @@
* Maximum length of any array.
*/
private long maxArrayLength;
+ /**
+ * True to check the component type for arrays.
+ */
+ private final boolean checkComponentType;
/**
* Returns an ObjectInputFilter from a string of patterns.
*
* @param pattern the pattern string to parse
+ * @param checkComponentType true if the filter should check
+ * the component type of arrays
* @return a filter to check a class being deserialized;
* {@code null} if no patterns
* @throws IllegalArgumentException if the parameter is malformed
* if the pattern is missing the name, the long value
* is not a number or is negative.
*/
- static ObjectInputFilter createFilter(String pattern) {
+ static ObjectInputFilter createFilter(String pattern, boolean checkComponentType) {
try {
- return new Global(pattern);
+ return new Global(pattern, checkComponentType);
} catch (UnsupportedOperationException uoe) {
// no non-empty patterns
return null;
@@ -428,12 +451,15 @@
* Construct a new filter from the pattern String.
*
* @param pattern a pattern string of filters
+ * @param checkComponentType true if the filter should check
+ * the component type of arrays
* @throws IllegalArgumentException if the pattern is malformed
* @throws UnsupportedOperationException if there are no non-empty patterns
*/
- private Global(String pattern) {
+ private Global(String pattern, boolean checkComponentType) {
boolean hasLimits = false;
this.pattern = pattern;
+ this.checkComponentType = checkComponentType;
maxArrayLength = Long.MAX_VALUE; // Default values are unlimited
maxDepth = Long.MAX_VALUE;
@@ -595,6 +621,10 @@
// array length is too big
return Status.REJECTED;
}
+ if (!checkComponentType) {
+ // As revised; do not check the component type for arrays
+ return Status.UNDECIDED;
+ }
do {
// Arrays are decided based on the component type
clazz = clazz.getComponentType();