On Feb 15, 2011, at 12:06 AM, Chris Schmidt <chrisisb...@gmail.com> wrote: > On Feb 14, 2011, at 8:57 AM, "Wall, Kevin" <kevin.w...@qwest.com> wrote: [snip[ >> So on a somewhat related note, does anyone have any idea as to how common it >> is for >> application developers to call ServletRequest.getLocale() or >> ServletRequest.getLocales() >> for Tomcat applications? Just curious. I'm sure it's a lot more common than >> developers using double-precision floating point in their applications (with >> the possible exception within the scientific computing community). > > I would assume just about any app with a shopping cart does. This is of > course compounded > by libraries like struts and spring mvc that autobind your form variables for > you. Use a form with > a double in it and your boned.
Good point about things like Spring and Struts. Hadn't thought of those cases. OTOH, if I were implementing a shopping cart, I'd write a special Currency class and there probably use Float.parseFloat() rather than Double.parseDouble() [unless I were a bank or otherwise had to compute interest], and hopefully Float does not have similar issues. -kevin -- Kevin W. Wall 614.215.4788 Qwest Risk Management / Information Security Team "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein, co-creator of MIME ________________________________________ From: Chris Schmidt [chrisisb...@gmail.com] Sent: Tuesday, February 15, 2011 12:06 AM To: Wall, Kevin Cc: Jim Manico; Rafal Los; sc-l@securecoding.org Subject: Re: [SC-L] Java DOS This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
