SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 85

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 86

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A weakness in a privileged program caused by relying on untrusted sources such as system properties or the environment (see rule IDS23-J Sanitize Validate all data passed in through environment variables and non-default properties) can result in the execution of a command or of a program that has privileges beyond those possessed by a typical user.

...

Because Runtime.exec() receives unsanitized data originating from the environment (see rule IDS23-J Sanitize Validate all data passed in through environment variables and non-default properties), this code is susceptible to a command injection attack.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="38a7de0af6ed7f80-75a2ebc6-4d9a47e7-ab70aeab-4ab5023ce1ab3907373eb53b"><ac:plain-text-body><![CDATA[

[CVE-2010-0886]

[Sun Java Web Start Plugin Command Line Argument Injection

http://www.securitytube.net/video/1465]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ac26b66b306b253c-3f7b1690-4484455f-a372962c-c548f5d5f6523f43f0721df6"><ac:plain-text-body><![CDATA[

[CVE-2010-1826]

[Command injection in updateSharingD's handling of Mach RPC messages

http://securitytracker.com/id/1024617]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cd5b5ec99b5d972c-721d27d0-41b442df-850fa078-cd195a4d81d50648a9c61924"><ac:plain-text-body><![CDATA[

[T-472]

[Mac OS X Java Command Injection Flaw in updateSharingD Lets Local Users Gain Elevated Privileges

http://www.doecirc.energy.gov/bulletins/t-472.shtml]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="538c647cb7f3855b-1812c966-4e2a4ccc-b0a4b8d3-2ffa7a8370c30aa054f6e773"><ac:plain-text-body><![CDATA[

[[MITRE 2009

AA. Bibliography#MITRE 09]]

[CWE ID 78

http://cwe.mitre.org/data/definitions/78.html] "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"

]]></ac:plain-text-body></ac:structured-macro>

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ee1e0832addcf0c1-803d95ec-4a444ec8-8e8d9f38-527cde755361c42dab74570e"><ac:plain-text-body><![CDATA[

[[Chess 2007

AA. Bibliography#Chess 07]]

Chapter 5: Handling Input, "Command Injection"]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8877f534fbdbc6c8-b230b3b6-4c4e45d2-a1b48bdb-91a16ac0b1fab6c472b6034a"><ac:plain-text-body><![CDATA[

[[OWASP 2005

AA. Bibliography#OWASP 05]]

[Reviewing Code for OS Injection

http://www.owasp.org/index.php/Reviewing_Code_for_OS_Injection]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f47d1a6d16e7ca65-90b492db-4c494840-836a9bdb-44accdf6b65d17fc5aab9868"><ac:plain-text-body><![CDATA[

[[Permissions 2008

AA. Bibliography#Permissions 08]]

[Permissions in the Java™ SE 6 Development Kit (JDK)

http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html], Sun Microsystems, Inc. (2008)

]]></ac:plain-text-body></ac:structured-macro>

...