Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 60128 invoked from network); 17 May 2010 14:05:53 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 17 May 2010 14:05:53 -0000 Received: (qmail 39956 invoked by uid 500); 17 May 2010 14:05:53 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 39844 invoked by uid 500); 17 May 2010 14:05:53 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 39831 invoked by uid 99); 17 May 2010 14:05:53 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 May 2010 14:05:53 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [62.179.121.32] (HELO viefep12-int.chello.at) (62.179.121.32) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 May 2010 14:05:45 +0000 Received: from edge03.upcmail.net ([192.168.13.238]) by viefep12-int.chello.at (InterMail vM.8.01.02.02 201-2260-120-106-20100312) with ESMTP id <20100517140522.ONPF8481.viefep12-int.chello.at@edge03.upcmail.net> for ; Mon, 17 May 2010 16:05:22 +0200 Received: from [192.168.1.50] ([84.74.100.246]) by edge03.upcmail.net with edge id Je5L1e06H5JxopQ03e5N9o; Mon, 17 May 2010 16:05:22 +0200 X-SourceIP: 84.74.100.246 Message-ID: <4BF14D20.5090905@otego.com> Date: Mon, 17 May 2010 16:05:20 +0200 From: Felix Knecht User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100509 Thunderbird/3.0.4 MIME-Version: 1.0 To: Apache Directory Developers List Subject: public static final" array fields are mutable X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Cloudmark-Analysis: v=1.1 cv=K3uBg944YaUT+Qsu6bWO0a0V3uPy4DQNslbdoMCD4tw= c=1 sm=0 a=7izFHVC_U40A:10 a=0qYQvVkOOIcA:10 a=8nJEP1OIZ-IA:10 a=mV9VRH-2AAAA:8 a=xe8BsctaAAAA:8 a=ggqSGzv6MYEYpvhx1gEA:9 a=ukvklImQgJn6Z2E_44h7fc_8W58A:4 a=wPNLvfGTeEIA:10 a=j1T7whzSt6QA:10 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117 X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A final static field references an array and can be accessed by malicious code or by accident from another package. This code can freely modify the contents of the array. What is final is the reference of the array, but not the arrays content itself. We do have several constructs like this, e.g. in shared.ldap.util.StringTools [1]. I suggest fixing them using following construct instead: private static final boolean[] ALPHA_DIGIT_MUTABLE = { ... }; public static final List ALPHA_DIGIT = Collections.unmodifiableList (Arrays.asList(ALPHA_DIGIT_MUTABLE)); I now, that this will give some work, because java doesn't allows primitives here. OTH it could be considered as not that important and we keep it as is and consider it as possible security problem. WDOT? Felix [1] http://people.apache.org/~felixk/shared-docs/xref/org/apache/directory/shared/ldap/util/StringTools.html#154 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvxTSAACgkQ2lZVCB08qHGixACdGZIDf3VR9GDB/8Zwnwom0Ikb 9u4AnibYRJv/TPztT2c5DVIQup1vlWYn =DDmC -----END PGP SIGNATURE-----