Page History

*EX1*: A secure application must also abide by [EXC06-J. Do not allow exceptions to transmit sensitive information]. To follow this rule, an application might find it necessary to catch all exceptions at some top-level to sanitize (or suppress) them. This is also summarized in the CWE entries, [CWE 7|http://cwe.mitre.org/data/definitions/7.html] and [CWE 388|http://cwe.mitre.org/data/definitions/388.html]. If exceptions need to be caught, it is better to catch {{Throwable}} instead of {{Exception}} \[[Roubtsov 032003|AA. Java References#Roubtsov 03]\].

*EX2*: Task processing threads such as worker threads in a thread pool or the swing event dispatch thread are allowed to catch {{RuntimeException}} when they call untrusted code through an abstraction such as {{Runnable}} \[[Goetz 062006 pg 161|AA. Java References#Goetz 06]\]. 

\[[MITRE 092009|AA. Java References#MITRE 09]\] [CWE ID 396|http://cwe.mitre.org/data/definitions/396.html] "Declaration of Catch for Generic Exception", [CWE ID 7|http://cwe.mitre.org/data/definitions/7.html] "J2EE Misconfiguration: Missing Error Handling", [CWE ID 537|http://cwe.mitre.org/data/definitions/537.html] "Information Leak Through Java Runtime Error Message", [CWE ID 536|http://cwe.mitre.org/data/definitions/536.html] "Information Leak Through Servlet Runtime Error Message"
\[[Schweisguth 032003|AA. Java References#Schweisguth 03]\]
\[[JLS 052005|AA. Java References#JLS 05]\] [Chapter 11, Exceptions|http://java.sun.com/docs/books/jls/third_edition/html/exceptions.html]
\[[Tutorials 082008|AA. Java References#tutorials 08]\] [Exceptions|http://java.sun.com/docs/books/tutorial/essential/exceptions/index.html]
\[[Doshi 032003|AA. Java References#Doshi 03]\]
\[[Muller 022002|AA. Java References#Muller 02]\]