SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 118

changes.mady.by.user Shannon Haas

Saved on

compared with

New Version 119

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If untrusted code is permitted to load classes, it may possess the ability to load sensitive classes a malicious class. This is a class that shares a fully-qualified name with a benign class that is required by trusted code. If When the trusted code has not already loaded these classes, subsequent attempts may result in untrusted classes being substituted for the sensitive classestries to load its benign class, the JVM provides it with the malicious class instead. As a result, if a program permits untrusted code to load classes, it must first preload any sensitive benign classes it needs. Once properly loaded, these sensitive benign classes cannot be replaced by untrusted code.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1e49d7dac140b053-e733e383-448948b3-8388a27e-b6ab2ac0b91ce8fe98672c29"><ac:plain-text-body><![CDATA[

[[CVE 2011

AA. References#CVE 08]]

[CVE-2009-0783

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="53cab3c21adb0848-aec26a0b-4b55437a-85378c10-bac530fd1c917f881e6fbacf"><ac:plain-text-body><![CDATA[

[[Gong 2003

AA. References#Gong 03]]

Section 4.3.2, Class Loader Delegation Hierarchy

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0c419e49135f10e8-bf099a7e-4bec449c-ae759dbe-a57103ca731f18a5e38433d0"><ac:plain-text-body><![CDATA[

[[JLS 2005

AA. References#JLS 05]]

§4.3.2, The Class Object

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ddda20370a6e3228-9bb7756a-4768409e-a75e9796-3e8b711fafa4254aa2c412b1"><ac:plain-text-body><![CDATA[

[[Tomcat 2009

AA. References#Tomcat 09]]

[Bug ID 29936

https://issues.apache.org/bugzilla/show_bug.cgi?id=29936], API Class org.apache.tomcat.util.digester.Digester, [Security fix in v 6.0.20

http://tomcat.apache.org/security-6.html]

]]></ac:plain-text-body></ac:structured-macro>

...