wood burning stoves 2.0*
The moose likes Beginning Java and the fly likes Array - Security hole Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Beginning Java
Bookmark "Array - Security hole" Watch "Array - Security hole" New topic
Author

Array - Security hole

Patricia Samuel
Ranch Hand

Joined: Sep 12, 2007
Posts: 300
This is a frequent source of security holes:
// Potential security hole!
public static final Thing[] VALUES = { ... };

These are the lines that i read in effective Java. Please confirm it is because we have made the reference final not the inside things.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41052
    
  43
The VALUES field is final, meaning that you can't assign a different array to it like "VALUES = ...", but the individual elements *can* be reassigned like "VALUES[0] = ...".


Ping & DNS - my free Android networking tools app
PrasannaKumar Sathiyanantham
Ranch Hand

Joined: Nov 12, 2009
Posts: 110
This is similar to C Pointers.

The variable will always point to the particular address in memory only. But the value stored in the address can be changed


To err is human,
To forgive is not company policy
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19649
    
  18

Two workarounds are:

1) make the array private and create a public static accessor method:

2) use a List:


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Array - Security hole
 
Similar Threads
Q: EJB must not define class in package
Can I use Javascript to detect the the client's cookie path
Why can't I access a file system from EJB?
WA #1.....word association
What is your first language ?