directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@gmail.com>
Subject Re: public static final" array fields are mutable
Date Mon, 17 May 2010 15:54:46 GMT
I have committed some modification in StringTools (Committed revision 
945224.) to make the arrays private.

On 5/17/10 4:05 PM, Felix Knecht wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> A final static field references an array and can be accessed by
> malicious code or by accident from another package. This code can freely
> modify the contents of the array.
>
> What is final is the reference of the array, but not the arrays content
> itself. We do have several constructs like this, e.g. in
> shared.ldap.util.StringTools [1].
>
> I suggest fixing them using following construct instead:
>
> private static final boolean[] ALPHA_DIGIT_MUTABLE = { ... };
> public static final List<Boolean>  ALPHA_DIGIT =
>    Collections.unmodifiableList (Arrays.asList(ALPHA_DIGIT_MUTABLE));
>
> I now, that this will give some work, because java doesn't allows
> primitives here.
>
> OTH it could be considered as not that important and we keep it as is
> and consider it as possible security problem.
>
> WDOT?
>
> Felix
>
>
> [1]
> http://people.apache.org/~felixk/shared-docs/xref/org/apache/directory/shared/ldap/util/StringTools.html#154
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.15 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkvxTSAACgkQ2lZVCB08qHGixACdGZIDf3VR9GDB/8Zwnwom0Ikb
> 9u4AnibYRJv/TPztT2c5DVIQup1vlWYn
> =DDmC
> -----END PGP SIGNATURE-----
>
>    


-- 
Regards,
Cordialement,
Emmanuel L├ęcharny
www.nextury.com



Mime
View raw message