SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 41

changes.mady.by.user Tracey Tamules

Saved on

compared with

New Version 42

changes.mady.by.user Tracey Tamules

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d5ad49f90e435bff-929a215d-49e04de7-8ac49611-bce5a0ba4801389598896b3c"><ac:plain-text-body><![CDATA[

[[MITRE 2009

AA. Bibliography#MITRE 09]]

[CWE ID 502

http://cwe.mitre.org/data/definitions/502.html] "Deserialization of Untrusted Data"

]]></ac:plain-text-body></ac:structured-macro>

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8e6dfacc93457915-0b04a0dc-4f8a4ecc-93518291-c73682ba0987807562ef38d4"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

Class Object, Class Hashtable

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6a7084a32d2bf0a6-d76ce74b-4cae4d62-a58db973-7a0f29a5bf181375ff7125aa"><ac:plain-text-body><![CDATA[

[[Bloch 2008

AA. Bibliography#Bloch 08]]

Item 75: "Consider using a custom serialized form"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8710da682ef20864-6c84145a-456d4ceb-803cbda6-dcfc82c4599c7b96876e78ad"><ac:plain-text-body><![CDATA[

[[Greanier 2000

AA. Bibliography#Greanier 00]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d2135f38ced51311-befc59c6-42e64c6e-90298e0c-5e2366261deb67d2eda13d72"><ac:plain-text-body><![CDATA[

[[Harold 1999

AA. Bibliography#Harold 99]]

Chapter 11: Object Serialization, Validation

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0ad4e2a588440a58-3f1e18c9-42e94c9f-95d49586-f24efcf5961b7b754eaf1b99"><ac:plain-text-body><![CDATA[

[[Hawtin 2008

AA. Bibliography#Hawtin 08]]

Antipattern 8: Believing deserialisation is unrelated to construction

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="15105b3432cca9dc-0f4d122b-400b4a61-bb1c8ddd-ca875fe953bcd821a01ab353"><ac:plain-text-body><![CDATA[

[[SCG 2007

AA. Bibliography#SCG 07]]

Guideline 5-2 View deserialization the same as object construction

]]></ac:plain-text-body></ac:structured-macro>

...

SER07-J. Make defensive copies of private mutable components during deserializationImage Added      16. Serialization (SER)      SER09-J. Minimize privileges before deserializing from a privileged context