SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 48

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 49

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: files closed properly, in accordance with FIO04-J

...

Code Block
bgColor#ffcccc
String file = /* provided by user */
InputStream in = null;
try {
  in = new FileInputStream(file);
  // ...
} finally {
  try {
    in.close();
  } catch (IOException x) {
    // handle error
  }
}

Noncompliant Code Example (Java 1.7)

...

Code Block
bgColor#ccccff
String file = /* provided by user */
if (!isInSecureDir(Paths.get( file))) {
  System.out.println("File not in secure directory");
  return;
}
try (InputStream in = new FileInputStreamFiles.newInputStream(file);
) {
   // ...
in.close();read file
} catch (IOException x) {
  // handle error
}

Programs with elevated privileges may need to write files to directories owned by unprivileged users. One example would be a mail daemon that reads a mail message from one user and places it in a directory owned by another user. In such cases, the proper course of action is to assume the privileges of a user when reading or writing files on behalf of that user, in which case all file access should occur in secure directories relative to that user. If a program with elevated privileges must write files on its own behalf, then these files should be in secure directories relative to the privileges of the program (such as directories accessible only by the superuser).

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="62523be0bcb671cd-573f0145-45d546ea-828f83de-2e5cdbf2eb3723789dd31a90"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

Class File, methods createTempFile, delete, deleteOnExit

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e4defbb927460351-ab7ce085-49bd48a9-b93994a3-9e5dcb316357eec041fbe8af"><ac:plain-text-body><![CDATA[

[[CVE 2008

AA. Bibliography#CVE 08]]

[CVE-2008-5354

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5354]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="889fb83503486c34-bd1c3a12-45584687-a743a9e4-1d461e632f7ab999e5dfa1e7"><ac:plain-text-body><![CDATA[

[[Darwin 2004

AA. Bibliography#Darwin 04]]

11.5 Creating a Transient File

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7451a872e872bfa6-9e649cfa-49fb4a70-a1fb8e1d-18775fc5f62710eeb0d9ba42"><ac:plain-text-body><![CDATA[

[[Garfinkel 1996

AA. Bibliography#Garfinkel 96]]

Section 5.6, "Device Files"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b734c6f3ffa2ffdb-66b389f5-44f2413a-b60f8b7d-4cd7a2a667f2513e9bd06f01"><ac:plain-text-body><![CDATA[

[[Howard 2002

AA. Bibliography#Howard 02]]

Chapter 11, "Canonical Representation Issues"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9b000ce2d24f4176-ab951e72-4d9a47cc-9b40b1cc-0264182b0fe9280b5ef509f6"><ac:plain-text-body><![CDATA[

[[J2SE 2011

AA. Bibliography#J2SE 11]]

The try-with-resources Statement

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5229d17f68aa3778-f48e3d09-4b984ef6-b0348491-7dc9911b250b715bfcbceb92"><ac:plain-text-body><![CDATA[

[[Open Group 2004

AA. Bibliography#Open Group 04]]

[open()

http://www.opengroup.org/onlinepubs/009695399/functions/open.html]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f87ecfbac512b1f2-26562602-40744aab-865db9de-471feaf369b90e3669a4865a"><ac:plain-text-body><![CDATA[

[[SDN 2008

AA. Bibliography#SDN 08]]

Bug IDs: 4171239, 4405521, 4635827, 4631820

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b3687e85dfd330ca-665af3fa-4e404145-95d49496-266d5d745bb25b1d18c284b7"><ac:plain-text-body><![CDATA[

[[Secunia 2008

AA. Bibliography#Secunia 08]]

[Secunia Advisory 20132

http://secunia.com/advisories/20132/]

]]></ac:plain-text-body></ac:structured-macro>

...