Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: 6.0.7-5
    • Fix Version/s: None
    • Component/s: doc
    • Labels:
      None

      Description

      This occurs on the "Writing Bean Properties" page at http://docs.oracle.com/javaee/6/tutorial/doc/bnaty.html. Just before the "UIData Properties" heading, there is an example Bean property for a Date field. Date is a mutable type, and the getter and setter are both public. This allows another potentially malicious class to get a reference to the Date field and modify it without the knowledge of the class. This is generally something that be defended against by creating a copy of the date when it is set or when the getter is called. This prevents you from setting the Date field to a Date value that another class can still manipulate and prevents another class the gets the Date from modifying the date without the knowledge of the class. Another, potentially better option if the methods need not be public would be to reduce the visibility to something less than public.

        Activity

        Hide
        Kim Haase added a comment -

        Fixing this would overcomplicate the discussion of managed bean properties in the tutorial, where the focus is on the JavaServer Faces API.

        Show
        Kim Haase added a comment - Fixing this would overcomplicate the discussion of managed bean properties in the tutorial, where the focus is on the JavaServer Faces API.
        Hide
        Brant Gurganus added a comment -

        Similar issues for DateTimeConverter, UIOutput, String[], SelectItem, and UISelectBoolean occur toward the end of the page under the headings "UISelectItem Properties," "UISelectItems Properties," "Writing Properties Bound to Component Instances," and "Writing Properties Bound to Converters, Listeners, or Validators." Each of those types are mutable properties with no protections from misbehaving callers.

        Show
        Brant Gurganus added a comment - Similar issues for DateTimeConverter, UIOutput, String[], SelectItem, and UISelectBoolean occur toward the end of the page under the headings "UISelectItem Properties," "UISelectItems Properties," "Writing Properties Bound to Component Instances," and "Writing Properties Bound to Converters, Listeners, or Validators." Each of those types are mutable properties with no protections from misbehaving callers.

          People

          • Assignee:
            Kim Haase
            Reporter:
            Brant Gurganus
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: