[JAVAEETUTORIAL-123] bad example allows for possible bug Created: 11/Jul/12 Updated: 18/Oct/12 Resolved: 18/Oct/12
|Reporter:||Brant Gurganus||Assignee:||Kim Haase|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
This occurs on the "Writing Bean Properties" page at http://docs.oracle.com/javaee/6/tutorial/doc/bnaty.html. Just before the "UIData Properties" heading, there is an example Bean property for a Date field. Date is a mutable type, and the getter and setter are both public. This allows another potentially malicious class to get a reference to the Date field and modify it without the knowledge of the class. This is generally something that be defended against by creating a copy of the date when it is set or when the getter is called. This prevents you from setting the Date field to a Date value that another class can still manipulate and prevents another class the gets the Date from modifying the date without the knowledge of the class. Another, potentially better option if the methods need not be public would be to reduce the visibility to something less than public.
|Comment by Brant Gurganus [ 11/Jul/12 ]|
Similar issues for DateTimeConverter, UIOutput, String, SelectItem, and UISelectBoolean occur toward the end of the page under the headings "UISelectItem Properties," "UISelectItems Properties," "Writing Properties Bound to Component Instances," and "Writing Properties Bound to Converters, Listeners, or Validators." Each of those types are mutable properties with no protections from misbehaving callers.
|Comment by Kim Haase [ 18/Oct/12 ]|
Fixing this would overcomplicate the discussion of managed bean properties in the tutorial, where the focus is on the JavaServer Faces API.