SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 1

changes.mady.by.user pranav kukreja

Saved on

compared with

New Version 2

changes.mady.by.user pranav kukreja

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Under Construction


Sensitive fields declared as public and static can be modified by untrusted code.

Noncompliant code example


Code Block


package org.apache.xpath.compiler; 

public class FunctionTable {

public static FuncLoader m_functions;

}

An attacker can replace the function table as follows

Code Block



FunctionTable.m_functions = <new_table>;

Replacing the function table gives the attacker access to the XPathContext used to evaluate XPath expression. Static variables are global across a Java runtime environment. They can be used as a communication channel between different application domains (e.g. by code loaded into different class loaders) .

...

Reduce the scope of static fields.

Code Block



package org.apache.xpath.compiler;&nbsp;

public class FunctionTable {

private static FuncLoader m_functions;

}


Make public static fields final.

Code Block



package org.apache.xpath.compiler;&nbsp;

public class FunctionTable {

public static final FuncLoader m_functions;

}