...
According to the Java API [API 2014] for the String class:
The length of the new
Stringis a function of the charset, and for that reason may not be equal to the length of the byte array. The behavior of this constructor when the given bytes are not valid in the given charset is unspecified.
...
This compliant solution explicitly specifies the intended character encoding in used to create the output the string as the second argument to the String constructor.
| Code Block | ||
|---|---|---|
| ||
FileInputStream fis = null;
try {
fis = new FileInputStream("SomeFile");
DataInputStream dis = new DataInputStream(fis);
byte[] data = new byte[1024];
dis.readFully(data);
String encodingresult = "SomeEncoding"; // for examplenew String(data, "UTF-16LE"
String result = new String(data, encoding);
} catch (IOException x) {
// handle error
} finally {
if (fis != null) {
try {
fis.close();
} catch (IOException x) {
// Forward to handler
}
}
}
|
...
Sound automated detection of this vulnerability is not feasible.
Bibliography