SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 78

changes.mady.by.user Todd Nowacki

Saved on

compared with

New Version 79

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: normativization

...

It could be necessary to check whether a given object has a specific class type or whether two objects have the same class type associated with them, for example, when implementing the equals() method. If the comparison is performed incorrectly, the code could assume that the two objects are of the same class when they are not. Therefore class names must not be compared.

Depending on the function that the insecure code performs, it could be vulnerable to a mix-and-match attack. An attacker could supply a malicious class with the same fully qualified name as the target class. If access to a protected resource is granted based on the comparison of class names alone, the unprivileged class could gain unwarranted access to the resource.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bb552826e9b46384-0f6bc545-40244e24-9cd7b073-0682b36fba8314ac07b72249"><ac:plain-text-body><![CDATA[

[[Christudas 2005

AA. Bibliography#Christudas 05]]

Internals of Java Class Loading

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1658c35b89e7c384-eeeb5c09-45874910-9d71acc2-5f791a8ac4a1382e84a9efd6"><ac:plain-text-body><![CDATA[

[[JVMSpec 1999

AA. Bibliography#JVMSpec 99]]

[§2.8.1 Class Names

http://java.sun.com/docs/books/jvms/second_edition/html/Concepts.doc.html]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0693611c1319f02b-aad07d43-4a504207-84c0834c-f53ac31893a34fc88e58d45b"><ac:plain-text-body><![CDATA[

[[McGraw 1998

AA. Bibliography#Mcgraw 98]]

Twelve rules for developing more secure Java code

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3a7b1fdfaa1cb9b7-485b0c51-42be4354-87dcbcd9-b521b3bc510906f8e7c43aeb"><ac:plain-text-body><![CDATA[

[[Wheeler 2003

AA. Bibliography#Wheeler 03]]

[Java

http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/java.html] Secure programming for Linux and Unix HOWTO

]]></ac:plain-text-body></ac:structured-macro>

...