[ http://issues.apache.org/jira/browse/XALANJ-2008?page=all ]
Brian Minchau updated XALANJ-2008:
----------------------------------
Fix Version: 2.7
(was: CurrentCVS)
> non-private non-final static variables and mutable static variables open
> potential security holes in Xalan
> ----------------------------------------------------------------------------------------------------------
>
> Key: XALANJ-2008
> URL: http://issues.apache.org/jira/browse/XALANJ-2008
> Project: XalanJ2
> Type: Bug
> Components: Xalan
> Versions: CurrentCVS
> Environment: Distributed with JDK 1.4+
> Reporter: Christine Li
> Fix For: 2.7
> Attachments: SecurityFixes.txt, SecurityFixesFinal.txt
>
> According to Sun's Security Code Guidelines
> [http://java.sun.com/security/seccodeguide.html#gcg2], non-final static
> variables and mutable static variables can cause unintended interactions
> within the system. This problem appears in many classes in the current Xalan
> code.
> This security issue becomes more severe when Xalan are distributed as part of
> the JRE 1.4+; It is loaded by the system class loader and stay in the JVM as
> long as the JVM is alive, malicious code can change the behavior of a
> processor by modifying those static variables.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
