8197595: Serialization javadoc should link to security best practices
Reviewed-by: lancea, mullan, ahgross
--- a/src/java.base/share/classes/java/io/ObjectInputFilter.java Wed Mar 28 14:24:17 2018 +0100
+++ b/src/java.base/share/classes/java/io/ObjectInputFilter.java Wed Mar 28 14:15:41 2018 -0400
@@ -38,6 +38,15 @@
/**
* Filter classes, array lengths, and graph metrics during deserialization.
+ *
+ * <p><strong>Warning: Deserialization of untrusted data is inherently dangerous
+ * and should be avoided. Untrusted data should be carefully validated according to the
+ * "Serialization and Deserialization" section of the
+ * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}.
+ * {@extLink serialization_filter_guide Serialization Filtering} describes best
+ * practices for defensive use of serial filters.
+ * </strong></p>
+ *
* If set on an {@link ObjectInputStream}, the {@link #checkInput checkInput(FilterInfo)}
* method is called to validate classes, the length of each array,
* the number of objects being read from the stream, the depth of the graph,
--- a/src/java.base/share/classes/java/io/ObjectInputStream.java Wed Mar 28 14:24:17 2018 +0100
+++ b/src/java.base/share/classes/java/io/ObjectInputStream.java Wed Mar 28 14:15:41 2018 -0400
@@ -52,6 +52,14 @@
* An ObjectInputStream deserializes primitive data and objects previously
* written using an ObjectOutputStream.
*
+ * <p><strong>Warning: Deserialization of untrusted data is inherently dangerous
+ * and should be avoided. Untrusted data should be carefully validated according to the
+ * "Serialization and Deserialization" section of the
+ * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}.
+ * {@extLink serialization_filter_guide Serialization Filtering} describes best
+ * practices for defensive use of serial filters.
+ * </strong></p>
+ *
* <p>ObjectOutputStream and ObjectInputStream can provide an application with
* persistent storage for graphs of objects when used with a FileOutputStream
* and FileInputStream respectively. ObjectInputStream is used to recover
--- a/src/java.base/share/classes/java/io/Serializable.java Wed Mar 28 14:24:17 2018 +0100
+++ b/src/java.base/share/classes/java/io/Serializable.java Wed Mar 28 14:15:41 2018 -0400
@@ -27,7 +27,17 @@
/**
* Serializability of a class is enabled by the class implementing the
- * java.io.Serializable interface. Classes that do not implement this
+ * java.io.Serializable interface.
+ *
+ * <p><strong>Warning: Deserialization of untrusted data is inherently dangerous
+ * and should be avoided. Untrusted data should be carefully validated according to the
+ * "Serialization and Deserialization" section of the
+ * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}.
+ * {@extLink serialization_filter_guide Serialization Filtering} describes best
+ * practices for defensive use of serial filters.
+ * </strong></p>
+ *
+ * Classes that do not implement this
* interface will not have any of their state serialized or
* deserialized. All subtypes of a serializable class are themselves
* serializable. The serialization interface has no methods or fields
--- a/src/java.base/share/classes/java/io/package-info.java Wed Mar 28 14:24:17 2018 +0100
+++ b/src/java.base/share/classes/java/io/package-info.java Wed Mar 28 14:15:41 2018 -0400
@@ -31,19 +31,17 @@
* method in any class or interface in this package will cause a
* {@code NullPointerException} to be thrown.
*
- * <h2>Package Specification</h2>
+ * <h2>Object Serialization</h2>
+ * <p><strong>Warning: Deserialization of untrusted data is inherently dangerous
+ * and should be avoided. Untrusted data should be carefully validated according to the
+ * "Serialization and Deserialization" section of the
+ * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}.
+ * </strong></p>
* <ul>
* <li><a href="{@docRoot}/../specs/serialization/index.html">
* Java Object Serialization Specification </a>
- * </ul>
- *
- * <h2>Related Documentation</h2>
- *
- * For overviews, tutorials, examples, guides, and tool documentation,
- * please see:
- * <ul>
- * <li>{@extLink serialver_tool_reference The serialver tool}</li>
- * <li>{@extLink serialization_guide Serialization Documentation}</li>
+ * <li>{@extLink serialization_filter_guide Serial Filtering} best practices</li>
+ * <li>{@extLink serialver_tool_reference The serialver tool}</li>
* </ul>
*
* @since 1.0