...
A
...
class
...
is
...
identified
...
by
...
its
...
fully-qualified
...
class
...
name
...
AND
...
its
...
classloader.
...
A
...
class
...
with
...
the
...
same
...
name
...
but
...
different
...
package
...
name
...
is
...
different,
...
and
...
a
...
class
...
with
...
the
...
same
...
fully-qualified
...
name
...
but
...
which
...
has
...
been
...
loaded
...
with
...
a
...
different
...
classloader
...
is
...
also
...
different.
...
You
...
may
...
frequently
...
want
...
to
...
know
...
whether
...
a
...
given
...
object
...
has
...
a
...
specific
...
class,
...
or
...
whether
...
2
...
objects
...
have
...
the
...
same
...
class,
...
for
...
example,
...
in
...
implementing
...
the
...
equals()
...
method.
...
If
...
the
...
comparison
...
is
...
performed
...
incorrectly,
...
your
...
code
...
might
...
assume
...
that
...
2
...
objects
...
are
...
of
...
the
...
same
...
class
...
when
...
they're
...
not.
...
Depending
...
on
...
the
...
function
...
that
...
this
...
code
...
performs,
...
this
...
might
...
introduce
...
a
...
vulnerability
...
to
...
a
...
mix-and-match
...
attack.
...
An
...
attacker
...
can
...
supply
...
code
...
that
...
is
...
the
...
same
...
name
...
as
...
your
...
class;
...
if
...
you
...
rely
...
on
...
comparing
...
the
...
classname
...
as
...
a
...
string,
...
you
...
might
...
end
...
up
...
believing
...
it
...
is
...
privileged
...
code
...
and
...
granting
...
it
...
undue
...
privileges.
...
Non-Compliant
...
Solution
| Code Block |
|---|
\\ {code} Â // determine whether object h has required/expected class name if (h.getClass().getName().equals("DefaultAuthenticationHandler")) { Â Â Â // code assumes it's an authorized class } {code |
Compliant Solution
| Code Block |
|---|
} h2. Compliant Solution {code} Â // determine whether object h has required/expected class name if (h.getClass() == this.getClassLoader().loadClass("DefaultAuthenticationHandler")) { Â Â Â // code determines authorized class loaded by same classloader } {code} h2. Non |
Non-Compliant
...
Solution
| Code Block |
|---|
{code}
 // determine whether objects x and y have same class name
if (x.getClass().getName().equals( y.getClass().getName() )) {
   // code assumes objects have same class
}
|
Compliant Solution
| Code Block |
|---|
{code} h2. Compliant Solution {code} Â // determine whether objects x and y have same class if (x.getClass() == y.getClass()) { Â Â Â // code determines objects have same class } {code}\\ |
Conversely,
...
a
...
source
...
of
...
error
...
is
...
assuming
...
that
...
the
...
same
...
codebase
...
will
...
result
...
in
...
the
...
same
...
class
...
in
...
a
...
JVM.
...
While
...
it
...
is
...
usually
...
true
...
in
...
common
...
user
...
applications,
...
it
...
is
...
not
...
the
...
case
...
with
...
J2EE
...
servers
...
like
...
servlet
...
containers,
...
which
...
could
...
use
...
different
...
instances
...
of
...
classloaders
...
to
...
be
...
able
...
to
...
deploy
...
and
...
undeploy
...
applications
...
at
...
runtime
...
without
...
restarting
...
the
...
JVM.
...
In
...
this
...
situation,
...
2
...
objects
...
whose
...
classes
...
come
...
from
...
the
...
same
...
codebase
...
could
...
be
...
different
...
classes
...
to
...
the
...
JVM
...
and
...
it
...
could
...
be
...
confusing
...
to
...
get
...
false
...
from
...
the
...
equals()
...
method
...
on
...
their
...
respective
...
classes.
References
Wiki Markup http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules.html?page=4 \[Mcgraw and Felten\]- http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/java.html
- http://www.onjava.com/pub/a/onjava/2005/01/26/classloading.html