Page History

Pugh \[[Pugh 2009|AA. JavaBibliography#Pugh References#Pugh 09]\] cites a vulnerability discovered by the Findbugs static analysis tool in the early betas of jdk 1.7. The class {{sun.security.x509.InvalidityDateExtension}} returned a {{Date}} instance through a {{public}} accessor, without creating defensive copies.

*OBJ11-EX1:* According to Sun's Secure Coding Guidelines document \[[SCG 2007|AA. JavaBibliography#SCG References#SCG 07]\]

\[[API 2006|AA. Java References#APIBibliography#API 06]\] [method clone()|http://java.sun.com/javase/6/docs/api/java/lang/Object.html#clone()]
\[[Security 2006|AA. Java References#SecurityBibliography#Security 06]\]
\[[Bloch 2008|AA. Java References#BlochBibliography#Bloch 08]\] Item 39: Make defensive copies when needed
\[[SCG 2007|AA. JavaBibliography#SCG References#SCG 07]\] Guideline 2-1 Create a copy of mutable inputs and outputs
\[[Haggar 2000|AA. JavaBibliography#Haggar References#Haggar 00]\] [Practical Java Praxis 64: Use clone for Immutable Objects When Passing or Receiving Object References to Mutable Objects|http://www.informit.com/articles/article.aspx?p=20530]
\[[Goetz 2006|AA. Java References#GoetzBibliography#Goetz 06]\] 3.2. Publication and Escape: Allowing Internal Mutable State to Escape
\[[Gong 2003|AA. Java References#GongBibliography#Gong 03]\] 9.4 Private Object State and Object Immutability
\[[MITRE 2009|AA. Java References#MITREBibliography#MITRE 09]\] [CWE ID 375|http://cwe.mitre.org/data/definitions/375.html] "Passing Mutable Objects to an Untrusted Method"