[JAVAEETUTORIAL-123] bad example allows for possible bug Created: 11/Jul/12  Updated: 18/Oct/12  Resolved: 18/Oct/12

Status: Closed
Project: javaeetutorial
Component/s: doc
Affects Version/s: 6.0.7-5
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Brant Gurganus Assignee: Kim Haase
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

This occurs on the "Writing Bean Properties" page at http://docs.oracle.com/javaee/6/tutorial/doc/bnaty.html. Just before the "UIData Properties" heading, there is an example Bean property for a Date field. Date is a mutable type, and the getter and setter are both public. This allows another potentially malicious class to get a reference to the Date field and modify it without the knowledge of the class. This is generally something that be defended against by creating a copy of the date when it is set or when the getter is called. This prevents you from setting the Date field to a Date value that another class can still manipulate and prevents another class the gets the Date from modifying the date without the knowledge of the class. Another, potentially better option if the methods need not be public would be to reduce the visibility to something less than public.



 Comments   
Comment by Brant Gurganus [ 11/Jul/12 ]

Similar issues for DateTimeConverter, UIOutput, String[], SelectItem, and UISelectBoolean occur toward the end of the page under the headings "UISelectItem Properties," "UISelectItems Properties," "Writing Properties Bound to Component Instances," and "Writing Properties Bound to Converters, Listeners, or Validators." Each of those types are mutable properties with no protections from misbehaving callers.

Comment by Kim Haase [ 18/Oct/12 ]

Fixing this would overcomplicate the discussion of managed bean properties in the tutorial, where the focus is on the JavaServer Faces API.

Generated at Sat Dec 03 02:52:34 UTC 2016 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.