SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 119

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 120

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

This noncompliant code example shows a vulnerability present in several versions of the Tomcat HTTP web server (fixed in version 6.0.20) that allows untrusted web applications to override the default XML parser used by the system to process web.xml, context.xml and tag library descriptor (TLD) files of other web applications deployed on the Tomcat instance. Consequently, untrusted web applications that install a parser could view and/or alter these files under certain circumstances.

Wiki MarkupThe noncompliant code example shows the code associated with initialization of a new {{Digester}} instance in the {{org.apache.catalina.startup.ContextConfig}} class. "A {{Digester}} processes an XML input stream by matching a series of element nesting patterns to execute Rules that have been added prior to the start of parsing" \[ [Tomcat 2009|AA. References#Tomcat 09]\]. The code to initialize the {{Digester}} follows:

Code Block
bgColor#FFCCCC
protected static Digester webDigester = null;

if (webDigester == null) {
  webDigester = createWebDigester();
}

...

Secure Coding Guidelines for the Java Programming Language, Version 3.0

Guideline 6-3. Safely invoke standard APIs that bypass SecurityManager checks depending on the immediate caller's class loader

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cdf70e66-fb9e-448c-b422-c1b23f708d25"><ac:plain-text-body><![CDATA[

[[CVE 2011AA. References#CVE 08] ]

[CVE-2009-0783

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9660b794-e1c6-439f-ae31-dfadf120e5cf"><ac:plain-text-body><![CDATA[

[[Gong 2003AA. References#Gong 03]]

Section 4.3.2, Class Loader Delegation Hierarchy ]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8e0a9630-cc4b-48b7-a513-d75abc77915a"><ac:plain-text-body><! [CDATA[ [[JLS 2005AA. References#JLS 05] ]

§4.3.2, The Class Object

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="492da4a6-16f0-4187-a648-3a94b1726d34"><ac:plain-text-body><![CDATA[

[ [Tomcat 2009AA. References#Tomcat 09] ]

[Bug ID 29936https://issues.apache.org/bugzilla/show_bug.cgi?id= 29936], API Class org.apache.tomcat.util.digester.Digester, [Security fix in v 6.0.20

http://tomcat.apache.org/security-6.html]

]]></ac:plain-text-body></ac:structured-macro>

...

      14. Platform Security (SEC)