提到私人班级成员怎么会很危险 [英] How can references to private class members be dangerouse
问题描述
我目前正在阅读 CERT Java安全编码标准.
I am struggling with this rule. The severity of this rule is high, which means a violation of this rule can lead to a privilege escalation or execution of code.
我真的不了解如何违反此规则会导致如此致命的事情.有人可以举例说明对违反此规则的代码的攻击吗?
I don't really understand how a violation of this rule can lead to such fatal things. Can somebody make an example of an attack on a code which violates this rule?
推荐答案
您可能有一个在类的构造函数中建立的不变式,例如date
包含实例的创建时间:
You might have an invariant which you establish in the constructor of the class, e.g. that date
contains the creation time of the instance:
class Foo {
private final Date date;
Foo() { this.date = new Date(); }
Date getDate() { return date; }
}
现在,如果我调用getDate().setTime(0)
,则可以使该实例看起来像它是在1970-1-1 00:00:00Z
中创建的.
Now, if I call getDate().setTime(0)
, I can make the instance look like it was created at 1970-1-1 00:00:00Z
.
如果基于Foo
的创建日期有一些逻辑,则可以通过这种方式来操纵它以表现出不同的行为.
If you have some logic based on the creation date of a Foo
, it can be manipulated to behave differently in this way.
这篇关于提到私人班级成员怎么会很危险的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!