Message6387
Lately there has been quite of rumour in the Java community about the endless loop caused by a certain range of values.
Jython could be brought into such an endless loop simply by assigning the right value to a variable, such as
value = a_bad_value
The Java hot spots are the following:
- BigDecimal.doubleValue()
- BigDecimal.floatValue()
- Double(String)
- Double.parseDouble(String)
- Double.valueOf(String)
- Float(String)
- Float.parseFloat(String)
- Float.valueOf(String)
The attached patch prevents these kind of attacks by replacing our usage of the hot spots above by a safer parsing strategy:
1) look for suspicious digits in the input string (heuristic, but quite fast)
2a) for suspicious values: use BigDecimal to safely parse them
2b) fix the real dangerous values by 'rounding' them to safe ones (outside the dangerous interval)
For non-suspicious values, use the default fast Double parsing, as before
The performance penalty in the majority of cases is the detection of suspiciousness:
final protected static boolean isSuspicious(String s) {
return digits(s).indexOf(SUSPICIOUS_DIGITS) >= 0;
}
final private static String digits(String s) {
char[] ca = s.toCharArray();
int len = ca.length;
StringBuilder b = new StringBuilder(len);
for (int i = 0; i < len; i++) {
char c = ca[i];
if (c >= '0' && c <= '9') {
b.append(c);
}
}
return b.toString();
}
Two questions:
- does this sound reasonable ?
- if yes, should we build that into 2.5.2 final ? |
|
Date |
User |
Action |
Args |
2011-02-08 12:40:02 | otmarhumbel | set | recipients:
+ otmarhumbel |
2011-02-08 12:40:02 | otmarhumbel | set | messageid: <1297168802.63.0.331765515947.issue1705@psf.upfronthosting.co.za> |
2011-02-08 12:40:02 | otmarhumbel | link | issue1705 messages |
2011-02-08 12:40:02 | otmarhumbel | create | |
|