Page History

*EX1*: A secure application must also abide by [EXC06-J. Do not allow exceptions to transmit sensitive information]. To follow this rule, an application might find it necessary to catch all exceptions at some top-level to sanitize (or suppress) them. This is also summarized in the CWE entries, [CWE 7|http://cwe.mitre.org/data/definitions/7.html] and [CWE 388|http://cwe.mitre.org/data/definitions/388.html]. If exceptions need to be caught, it is better to catch {{Throwable}} instead of {{Exception}} \[[Roubtsov 2003|AA. Java References#RoubtsovBibliography#Roubtsov 03]\].

*EX2*: Task processing threads such as worker threads in a thread pool or the swing event dispatch thread are allowed to catch {{RuntimeException}} when they call untrusted code through an abstraction such as {{Runnable}} \[[Goetz 2006 pg 161|AA. Java References#GoetzBibliography#Goetz 06]\]. 

\[[MITRE 2009|AA. Java References#MITREBibliography#MITRE 09]\] [CWE ID 396|http://cwe.mitre.org/data/definitions/396.html] "Declaration of Catch for Generic Exception", [CWE ID 7|http://cwe.mitre.org/data/definitions/7.html] "J2EE Misconfiguration: Missing Error Handling", [CWE ID 537|http://cwe.mitre.org/data/definitions/537.html] "Information Leak Through Java Runtime Error Message", [CWE ID 536|http://cwe.mitre.org/data/definitions/536.html] "Information Leak Through Servlet Runtime Error Message"
\[[Schweisguth 2003|AA. Java References#SchweisguthBibliography#Schweisguth 03]\]
\[[JLS 2005|AA. Java References#JLSBibliography#JLS 05]\] [Chapter 11, Exceptions|http://java.sun.com/docs/books/jls/third_edition/html/exceptions.html]
\[[Tutorials 2008|AA. Java References#tutorialsBibliography#tutorials 08]\] [Exceptions|http://java.sun.com/docs/books/tutorial/essential/exceptions/index.html]
\[[Doshi 2003|AA. Java References#DoshiBibliography#Doshi 03]\]
\[[Muller 2002|AA. Java References#MullerBibliography#Muller 02]\]