Warning: Deserialization of untrusted data is inherently dangerous + * and should be avoided. Untrusted data should be carefully validated according to the + * "Serialization and Deserialization" section of the + * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}. + * {@extLink serialization_filter_guide Serialization Filtering} describes best + * practices for defensive use of serial filters. + *
+ * * If set on an {@link ObjectInputStream}, the {@link #checkInput checkInput(FilterInfo)} * method is called to validate classes, the length of each array, * the number of objects being read from the stream, the depth of the graph, diff -r 9925be430918 -r 879cf9f18688 src/java.base/share/classes/java/io/ObjectInputStream.java --- a/src/java.base/share/classes/java/io/ObjectInputStream.java Wed Mar 28 14:24:17 2018 +0100 +++ b/src/java.base/share/classes/java/io/ObjectInputStream.java Wed Mar 28 14:15:41 2018 -0400 @@ -52,6 +52,14 @@ * An ObjectInputStream deserializes primitive data and objects previously * written using an ObjectOutputStream. * + *Warning: Deserialization of untrusted data is inherently dangerous + * and should be avoided. Untrusted data should be carefully validated according to the + * "Serialization and Deserialization" section of the + * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}. + * {@extLink serialization_filter_guide Serialization Filtering} describes best + * practices for defensive use of serial filters. + *
+ * *ObjectOutputStream and ObjectInputStream can provide an application with * persistent storage for graphs of objects when used with a FileOutputStream * and FileInputStream respectively. ObjectInputStream is used to recover diff -r 9925be430918 -r 879cf9f18688 src/java.base/share/classes/java/io/Serializable.java --- a/src/java.base/share/classes/java/io/Serializable.java Wed Mar 28 14:24:17 2018 +0100 +++ b/src/java.base/share/classes/java/io/Serializable.java Wed Mar 28 14:15:41 2018 -0400 @@ -27,7 +27,17 @@ /** * Serializability of a class is enabled by the class implementing the - * java.io.Serializable interface. Classes that do not implement this + * java.io.Serializable interface. + * + *
Warning: Deserialization of untrusted data is inherently dangerous + * and should be avoided. Untrusted data should be carefully validated according to the + * "Serialization and Deserialization" section of the + * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}. + * {@extLink serialization_filter_guide Serialization Filtering} describes best + * practices for defensive use of serial filters. + *
+ * + * Classes that do not implement this * interface will not have any of their state serialized or * deserialized. All subtypes of a serializable class are themselves * serializable. The serialization interface has no methods or fields diff -r 9925be430918 -r 879cf9f18688 src/java.base/share/classes/java/io/package-info.java --- a/src/java.base/share/classes/java/io/package-info.java Wed Mar 28 14:24:17 2018 +0100 +++ b/src/java.base/share/classes/java/io/package-info.java Wed Mar 28 14:15:41 2018 -0400 @@ -31,19 +31,17 @@ * method in any class or interface in this package will cause a * {@code NullPointerException} to be thrown. * - *Warning: Deserialization of untrusted data is inherently dangerous + * and should be avoided. Untrusted data should be carefully validated according to the + * "Serialization and Deserialization" section of the + * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}. + *
* - * - *