Java Reference
In-Depth Information
Click here to view code image
private void storeDateInDB(java.util.Date date)
throws SQLException {
final java.util.Date copy = new
java.util.Date(date.getTime());
if (validateValue(copy.getTime())) {
Connection con =
DriverManager.getConnection(
"jdbc:microsoft:sqlserver://<HOST>:1433",
"<UID>", "<PWD>"
);
PreparedStatement pstmt =
con.prepareStatement("UPDATE ACCESSDB SET TIME = ?");
pstmt.setLong(1, copy.getTime());
// ...
}
}
Noncompliant Code Example (CVE-2012-0507)
This noncompliant code example shows a constructor of the Java core class AtomicRe-
ferenceArray present in the Java 1.7.0 update 2:
Click here to view code image
public AtomicReferenceArray(E[] array) {
// Visibility guaranteed by final field guarantees
this.array = array.clone();
}
This code was subsequently invoked by the Flashback exploit that infected 600,000
Macintosh computers in April 2012. 1
1. “Exploiting Java Vulnerability CVE-2012-0507 Using Metasploit” is shared by user BreakTheSec
on Slideshare.net (July 14, 2012); see www.slideshare.net/BreakTheSec/exploiting-java-vulnerabil-
ity .
Compliant Solution (CVE-2012-0507)
InJava1.7.0update3,theconstructor wasmodified tousethe Arrays.copyOf() method
instead of the clone() method as follows:
 
 
Previous Page
Next Page
Java Coding Guidelines
Search WWH ::




Custom Search
Home