[ http://nagoya.apache.org/jira/browse/XALANJ-2008?page=history ]
Christine Li updated XALANJ-2008:
---------------------------------
Attachment: SecurityFixesFinal.txt
The final version of the patch. Special thanks to Brian Minchau for providing
the patch for
org.apache.xalan.templates.StylesheetRoot.java and
org.apache.xalan.templates.ElemExsltFunction.java.
Many thanks to Brian Minchau and Henry Zongaro for reviewing the patch.
> non-private non-final static variables and mutable static variables open
> potential security holes in Xalan
> ----------------------------------------------------------------------------------------------------------
>
> Key: XALANJ-2008
> URL: http://nagoya.apache.org/jira/browse/XALANJ-2008
> Project: XalanJ2
> Type: Bug
> Components: Xalan
> Versions: CurrentCVS
> Environment: Distributed with JDK 1.4+
> Reporter: Christine Li
> Attachments: SecurityFixes.txt, SecurityFixesFinal.txt
>
> According to Sun's Security Code Guidelines
> [http://java.sun.com/security/seccodeguide.html#gcg2], non-final static
> variables and mutable static variables can cause unintended interactions
> within the system. This problem appears in many classes in the current Xalan
> code.
> This security issue becomes more severe when Xalan are distributed as part of
> the JRE 1.4+; It is loaded by the system class loader and stay in the JVM as
> long as the JVM is alive, malicious code can change the behavior of a
> processor by modifying those static variables.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
