...
The storeDateinDB() method accepts an untrusted date argument and attempts to make a defensive copy using the clone() method. The attacker can override the getTime() method so that it returns a time that passes validation when when getTime() is called for the first time but provides returns an unexpected value when it is used called a second time.
| Code Block |
|---|
public class MaliciousDate extends java.util.Date {
private static int count = 0;
@Override
public long getTime() {
java.util.Date d = new java.util.Date();
return (count++ == 1) ? d.getTime() : d.getTime() - 1000;
}
}
|
...