8197595: Serialization javadoc should link to security best practices

Reviewed-by: lancea, mullan, ahgross
2025-08-27 06:45:07 +02:00 · 2018-03-28 14:15:41 -04:00 · 2018-03-28 14:15:41 -04:00 · e50e03e199
commit e50e03e199
parent 484ec0738e
4 changed files with 36 additions and 11 deletions
--- a/src/java.base/share/classes/java/io/Serializable.java
+++ b/src/java.base/share/classes/java/io/Serializable.java
@ -27,7 +27,17 @@ package java.io;

 /**
 * Serializability of a class is enabled by the class implementing the
- * java.io.Serializable interface. Classes that do not implement this
+ * java.io.Serializable interface.
+ *
+ * <p><strong>Warning: Deserialization of untrusted data is inherently dangerous
+ * and should be avoided. Untrusted data should be carefully validated according to the
+ * "Serialization and Deserialization" section of the
+ * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}.
+ * {@extLink serialization_filter_guide Serialization Filtering} describes best
+ * practices for defensive use of serial filters.
+ * </strong></p>
+ *
+ * Classes that do not implement this
 * interface will not have any of their state serialized or
 * deserialized.  All subtypes of a serializable class are themselves
 * serializable.  The serialization interface has no methods or fields