poi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From moparisthebest <ad...@moparisthebest.com>
Subject Re: [GitHub] poi pull request #78: Add the "final" modifier to public static fields.
Date Wed, 18 Oct 2017 19:31:59 GMT
Just wanted to point out, this only protects against accidents, it does
nothing to protect against malicious code which can just use reflection
to change even final fields.

It's still a good change, just doesn't do as advertised.

On 10/14/2017 03:05 PM, BruceKuiLiu wrote:
> GitHub user BruceKuiLiu opened a pull request:
> 
>     https://github.com/apache/poi/pull/78
> 
>     Add the "final" modifier to public static fields.
> 
>     This static field public but not final, and could be changed by malicious code or
by accident from another package. The field could be made final to avoid this vulnerability.
>     http://findbugs.sourceforge.net/bugDescriptions.html#MS_SHOULD_BE_FINAL
> 
> You can merge this pull request into a Git repository by running:
> 
>     $ git pull https://github.com/BruceKuiLiu/poi master6
> 
> Alternatively you can review and apply these changes as the patch at:
> 
>     https://github.com/apache/poi/pull/78.patch
> 
> To close this pull request, make a commit to your master/trunk branch
> with (at least) the following in the commit message:
> 
>     This closes #78
>     
> ----
> commit 6c8aa937d52f12dbc996105c89868dfaf0950c80
> Author: Kui LIU <brucekuiliu@gmail.com>
> Date:   2017-10-14T18:15:34Z
> 
>     Add the "final" modifier to public static fields.
>     
>     This static field public but not final, and could be changed by malicious code or
by accident from another package. The field could be made final to avoid this vulnerability.
>     http://findbugs.sourceforge.net/bugDescriptions.html#MS_SHOULD_BE_FINAL
> 
> commit 6e57586107eb2f06db47d4bb7f5202f953ce017e
> Author: Kui LIU <brucekuiliu@gmail.com>
> Date:   2017-10-14T18:19:48Z
> 
>     Add the "final" modifier to public static fields.
>     
>     This static field public but not final, and could be changed by malicious code or
by accident from another package. The field could be made final to avoid this vulnerability.
>     http://findbugs.sourceforge.net/bugDescriptions.html#MS_SHOULD_BE_FINAL
> 
> ----
> 
> 
> ---
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
> For additional commands, e-mail: dev-help@poi.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org


Mime
View raw message