...
This noncompliant code example is adopted from JDK v1.4.2 [FT 2008]. It declares a function table containing a public static field.
| Code Block | ||
|---|---|---|
| ||
package org.apache.xpath.compiler;
public class FunctionTable {
public static FuncLoader m_functions;
}
|
An attacker can replace the function table as follows:
| Code Block |
|---|
FunctionTable.m_functions = new_table;
|
...
This compliant solution declares the FuncLoader static field final and treats it as a constant.
| Code Block | ||
|---|---|---|
| ||
public static final FuncLoader m_functions; // Initialize m_functions in a constructorstatic initialization block |
Fields declared static and final are also safe for multithreaded use. (See rule [TSM03-J. Do not publish partially initialized objects for more information.) However, remember that simply changing the modifier to final might not prevent attackers from indirectly retrieving an incorrect value from the static final variable before its initialization. (See rule DCL00-J. Prevent class initialization cycles for more information.) Furthermore, individual members of the referenced object can also be changed if the object itself is mutable.
...
This noncompliant code example uses a public static nonfinal serialVersionUID field in a class designed for serialization.
| Code Block | ||
|---|---|---|
| ||
class DataSerializer implements Serializable {
public static long serialVersionUID = 1973473122623778747L;
// ...
}
|
...
This compliant solution declares the serialVersionUID field final and private.
| Code Block | ||
|---|---|---|
| ||
class DataSerializer implements Serializable {
private static final long serialVersionUID = 1973473122623778747L;
}
|
...
[FT 2008] | Function Table, Class Function Table |
9.3, Static Fields | |
Antipattern 5, Misusing Public Static Variables | |
Antipattern 5, Misusing Public Static Variables |