...
Code Block | ||
---|---|---|
| ||
public class ExceptionLog implements Runnable { public void logMessage(String message) { FileOutputStream fo = null; FileLock lock = null; try { // This can throw an exception and prevent logging. fo = new FileOutputStream(""log_file.txt"", true); // Lock the file so only one thread can write a log message at a time. lock = fo.getChannel().lock(); // Output the log message. System.err.println(message); fo.write((message + ""\n"").getBytes()); } // If an exception is caught, the original message to log is lost catch (FileNotFoundException e){ logMessage(""File Not Found Exception.""); } catch(IOException e) { logMessage(""IO Exception.""); } catch (OverlappingFileLockException e) { logMessage(""Cannot access file.""); } finally { // Clean up by releasing the file lock and closing the file. try { if (lock != null) { lock.release(); } if (fo != null) { fo.close(); } } catch (IOException e) { // This is unexpected. throw new RuntimeException(e); } } } public void run() { try { // Some security exception occurs here. } catch(SecurityException se) { logMessage(""Security Exception has occurred!""); } } public static void main(String[] args) { // Start multiple threads logging messages. for (int x=1; x<x<=20; x++) { (new Thread(new ExceptionLog())).start(); } } } |
...
Code Block | ||
---|---|---|
| ||
public class ExceptionLog implements Runnable { Logger logger; Integer id; public ExceptionLog(Integer i, Logger l) { logger = l; id = i; } public void logMessage(String message) { // Note that the Java Logger class does not throw exceptions // while logging a message. logger.log(Level.WARNING, ""From "" + id + "": "" + message); } public void run() { try { // Some security exception occurs here. } catch(SecurityException se) { logMessage(""Security Exception has occurred!""); } } public static void main(String[] args) { try { // Set up the shared logger for use by the multiple threads Logger logger = Logger.getLogger("MyLog""MyLog"); FileHandler fh = new FileHandler(""log_file.txt"", true); logger.addHandler(fh); logger.setLevel(Level.ALL); SimpleFormatter formatter = new SimpleFormatter(); fh.setFormatter(formatter); // Start multiple threads for logging messages for (int x=1; x<x<=20; x++) { (new Thread(new ExceptionLog(x, logger))).start(); } } catch (SecurityException e) { // This is unexpected. throw new RuntimeException(e); } catch (IOException e) { // This is unexpected. throw new RuntimeException(e); } } } |
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Wiki Markup |
---|
\[[API 06|AA. Java References#API 06]\] [Class Logger|http://java.sun.com/javase/6/docs/api/java/util/logging/Logger.html] \[[JLS 05|AA. Java References#JLS 05]\] [Chapter 11, Exceptions|http://java.sun.com/docs/books/jls/third_edition/html/exceptions.html] |
...
EXC01-J. Do not allow exceptions to transmit sensitive information 13. Exceptional Behavior (EXC) EXC03-J. Try to gracefully recover from system errors