directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Knecht <fe...@otego.com>
Subject public static final" array fields are mutable
Date Mon, 17 May 2010 14:05:20 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A final static field references an array and can be accessed by
malicious code or by accident from another package. This code can freely
modify the contents of the array.

What is final is the reference of the array, but not the arrays content
itself. We do have several constructs like this, e.g. in
shared.ldap.util.StringTools [1].

I suggest fixing them using following construct instead:

private static final boolean[] ALPHA_DIGIT_MUTABLE = { ... };
public static final List<Boolean> ALPHA_DIGIT =
  Collections.unmodifiableList (Arrays.asList(ALPHA_DIGIT_MUTABLE));

I now, that this will give some work, because java doesn't allows
primitives here.

OTH it could be considered as not that important and we keep it as is
and consider it as possible security problem.

WDOT?

Felix


[1]
http://people.apache.org/~felixk/shared-docs/xref/org/apache/directory/shared/ldap/util/StringTools.html#154
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvxTSAACgkQ2lZVCB08qHGixACdGZIDf3VR9GDB/8Zwnwom0Ikb
9u4AnibYRJv/TPztT2c5DVIQup1vlWYn
=DDmC
-----END PGP SIGNATURE-----

Mime
View raw message