8276665: ObjectInputStream.GetField.get(name, object) should throw ClassNotFoundException

Reviewed-by: naoto, lancea, smarks
2025-08-26 22:34:27 +02:00 · 2021-11-24 15:14:22 +00:00 · 2021-11-24 15:14:22 +00:00 · 0384739afc
commit 0384739afc
parent cf7adae633
2 changed files with 210 additions and 4 deletions
--- a/src/java.base/share/classes/java/io/ObjectInputStream.java
+++ b/src/java.base/share/classes/java/io/ObjectInputStream.java
@ -297,6 +297,15 @@ public class ObjectInputStream
        static final boolean SET_FILTER_AFTER_READ = GetBooleanAction
                .privilegedGetProperty("jdk.serialSetFilterAfterRead");

+        /**
+         * Property to control {@link GetField#get(String, Object)} conversion of
+         * {@link ClassNotFoundException} to {@code null}. If set to {@code true}
+         * {@link GetField#get(String, Object)} returns null otherwise
+         * throwing {@link ClassNotFoundException}.
+         */
+        private static final boolean GETFIELD_CNFE_RETURNS_NULL = GetBooleanAction
+                .privilegedGetProperty("jdk.serialGetFieldCnfeReturnsNull");
+
        /**
         * Property to override the implementation limit on the number
         * of interfaces allowed for Proxies. The property value is clamped to 0..65535.
@ -1596,12 +1605,13 @@ public class ObjectInputStream
         * @param  val the default value to use if {@code name} does not
         *         have a value
         * @return the value of the named {@code Object} field
+         * @throws ClassNotFoundException Class of a serialized object cannot be found.
         * @throws IOException if there are I/O errors while reading from the
         *         underlying {@code InputStream}
         * @throws IllegalArgumentException if type of {@code name} is
         *         not serializable or if the field type is incorrect
         */
-        public abstract Object get(String name, Object val) throws IOException;
+        public abstract Object get(String name, Object val) throws IOException, ClassNotFoundException;
    }

    /**
@ -2645,13 +2655,19 @@ public class ObjectInputStream
            return (off >= 0) ? Bits.getDouble(primValues, off) : val;
        }

-        public Object get(String name, Object val) {
+        public Object get(String name, Object val) throws ClassNotFoundException {
            int off = getFieldOffset(name, Object.class);
            if (off >= 0) {
                int objHandle = objHandles[off];
                handles.markDependency(passHandle, objHandle);
-                return (handles.lookupException(objHandle) == null) ?
-                    objValues[off] : null;
+                ClassNotFoundException ex = handles.lookupException(objHandle);
+                if (ex == null)
+                    return objValues[off];
+                if (Caches.GETFIELD_CNFE_RETURNS_NULL) {
+                    // Revert to the prior behavior; return null instead of CNFE
+                    return null;
+                }
+                throw ex;
            } else {
                return val;
            }