SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 30

changes.mady.by.user Ankur Goyal

Saved on

compared with

New Version 31

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
A recently identified bug manifests in JRE and JDK version 6.0 and prior, wherein an attacker can predict the names of the temporary files and as a result write malicious JAR files via unknown vectors \[[CVE 082008|AA. Java References#CVE 08]\]. Denial of Service attacks are also possible if unclaimed temporary resources cause rapid disk space exhaustion \[[Secunia Advisory 20132|http://secunia.com/advisories/20132/]\].

...

Wiki Markup
Exclusive access grants unrestricted file access to the locking process while denying access to all other processes and eliminates the potential for a race condition on the locked region. Files, or regions of files, can be locked to prevent two processes from concurrent access. The {{java.nio.channels.FileLock}} class facilitates file locking. According to the Java API \[[API 062006|AA. Java References#API 06]\] documentation:

...

Wiki Markup
"Whether or not a lock actually prevents another program from accessing the content of the locked region is system-dependent and consequently unspecified" \[[API 062006|AA. Java References#API 06]\]. Microsoft Windows uses a file-locking mechanism called mandatory locking because every process attempting access to a locked file region is subject to the restriction. Linux implements mandatory locks and advisory locks. An advisory lock is not enforced by the operating system, which severely diminishes its value from a security perspective. Unfortunately, the mandatory file lock in Linux is also largely impractical for the following reasons:

...

Wiki Markup
According to the Java API \[[API 062006|AA. Java References#API 06]\] Class {{File}}, method {{deleteOnExit()}} documentation:

...

References

Wiki Markup
\[[API 062006|AA. Java References#API 06]\] Class File, methods {{createTempFile}}, {{delete}}, {{deleteOnExit}}
\[[Darwin 042004|AA. Java References#Darwin 04]\] 11.5 Creating a Transient File
\[[SDN 082008|AA. Java References#SDN 08]\] Bug IDs: 4171239, 4405521, 4635827, 4631820
\[[Secunia 082008|AA. Java References#Secunia 08]\] [Secunia Advisory 20132|http://secunia.com/advisories/20132/]
\[[CVE 082008|AA. Java References#CVE 08]\] [CVE-2008-5354|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5354]
\[[MITRE 092009|AA. Java References#MITRE 09]\] [CWE ID 459 |http://cwe.mitre.org/data/definitions/459.html] "Incomplete Cleanup", [CWE ID 377|http://cwe.mitre.org/data/definitions/377.html] "Insecure Temporary File"

...