SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 31

changes.mady.by.user Ankur Goyal

Saved on

compared with

New Version 32

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
According to the Java Tutorials \[[Tutorials 082008|AA. Java References#Tutorials 08]\]:

...

This noncompliant code example demonstrates the JarRunner application that can be used to dynamically execute a particular class residing within a JAR file (abridged version of the class in [Tutorials 082008]). It creates a JarClassLoader that loads an application update, plugin or patch over an untrusted network such as the Internet. The URL to fetch the code is specified as the first argument (for example, http://somewebsite.com/software-updates.jar) and any other arguments specify the arguments that are to be passed to the class to be loaded. Reflection is used to invoke the main method of the loaded class. Unfortunately, by default, JarClassLoader verifies the signature using the public key contained within the JAR file.

...

References

Wiki Markup
\[[API 062006|AA. Java References#API 06]\] 
\[[Gong 032003|AA. Java References#Gong 03]\] 12.8.3 jarsigner
\[[Eclipse 082008|AA. Java References#Eclipse 08]\] [JAR Signing|http://wiki.eclipse.org/JAR_Signing] and [Signed bundles and protecting against malicious code|http://help.eclipse.org/stable/index.jsp?topic=/org.eclipse.platform.doc.isv/guide]
\[[Halloway 012001|AA. Java References#Halloway 01]\] 
\[[Flanagan 052005|AA. Java References#Flanagan 05]\] Chapter 24. The java.util.jar Package
\[[Oaks 012001|AA. Java References#Oaks 01]\] Chapter 12: Digital Signatures, Signed Classes
\[[Tutorials 082008|AA. Java References#Tutorials 08]\] [The JarRunner Class|http://java.sun.com/docs/books/tutorial/deployment/jar/jarrunner.html], [Lesson: API and Tools Use for Secure Code and File Exchanges|http://java.sun.com/docs/books/tutorial/security/sigcert/index.html] and [Verifying Signed JAR Files|http://java.sun.com/docs/books/tutorial/deployment/jar/verify.html]
\[[JarSpec 082008|AA. Java References#JarSpec 08]\] Signature Validation 
\[[Bea 082008|AA. Java References#Bea 08]\] 
\[[Muchow 012001|AA. Java References#Muchow 01]\] 
\[[MITRE 092009|AA. Java References#MITRE 09]\] [CWE ID 300|http://cwe.mitre.org/data/definitions/300.html] "Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle')", [CWE ID 319|http://cwe.mitre.org/data/definitions/319.html] "Cleartext Transmission of Sensitive Information", [CWE ID 494|http://cwe.mitre.org/data/definitions/494.html] "Download of Code Without Integrity Check", [CWE ID 347|http://cwe.mitre.org/data/definitions/347.html] "Improperly Verified Signature"

...