Closed GoogleCodeExporter closed 9 years ago
GoogleCodeExporter
commented
9 years ago Thank you for this Patrick. We will apply this to 1.4 before the next release.Original comment by manico.james@gmail.com on 2 Nov 2010 at 8:09
GoogleCodeExporter
commented
9 years ago Is this fix in the 2.0 GA release (or later)?Original comment by skwee...@gmail.com on 3 Aug 2011 at 11:49
GoogleCodeExporter
commented
9 years ago The singletons are implemented using a double-checking mechanism and a volatile
reference variable. This approach is thread-safe for JDK 1.5 and higher, but it
is not for previous versions (see
http://java.dzone.com/articles/design-patterns-revisited-1-si). Therefore I
would recommend to use a static instance variable (has the additional benefit
of less lines of code) or if performance is a concern to use the
"initialization-on-demand-idiom"
(http://en.wikipedia.org/wiki/Initialization_on_demand_holder_idiom) Original comment by wettstei...@gmail.com on 18 Aug 2011 at 12:20
GoogleCodeExporter
commented
9 years ago Were you referring to the patch or to what's in the 1.4 source control
repository? I haven't checked the source repo but the patch does not use
volatiles. It synchronizes on a lock before doing any checking, which is what
1.4 requires to do lazy initialization without introducing a holder class.Original comment by patrick....@gmail.com on 18 Aug 2011 at 1:35
GoogleCodeExporter
commented
9 years ago I was talking about the actual code in the trunk (see DefaultEncoder for
example)Original comment by wettstei...@gmail.com on 31 Aug 2011 at 3:41
GoogleCodeExporter
commented
9 years ago We are experiencing this issue. What do you suggest since it does not look like
this will be fixed any time soon?Original comment by nemi5...@gmail.com on 7 Aug 2012 at 6:48
GoogleCodeExporter
commented
9 years ago nemi5150: you can apply my patch (attached to this issue).
wettstein.frank: I don't understand your comment. The patch is against the 1.4
branch, not trunk, and already uses static instance variables. Perhaps the
initialization-on-demand-idiom would be best here, but it's more complex. I
assume the patch was never applied because of your concerns, but I don't
understand how they are relevant to the 1.4 branch.Original comment by patrick....@gmail.com on 7 Aug 2012 at 7:38
GoogleCodeExporter
commented
9 years ago Patrick, I have looked at your patch, but it does not seem to be addressing the
root cause of the problem. Isn't the root cause that a constructor is
initializing a static variable? This is straight from do-not-do 101. I do not
understand why this static variable is not initialized in a static block? That
way it will only ever be initialized once and only when the class is loaded the
first time by the classloader. Original comment by nemi5...@gmail.com on 7 Aug 2012 at 8:36
GoogleCodeExporter
commented
9 years ago Wait, I see. Maybe you should reopen issue 143? It may be fixed in a later
build, but 1.4.4 is the latest stable, correct? If so, then 1.4.5 needs to be
stabilized. 1.4.5 in Early Release Only since Aug-2010? Really?Original comment by nemi5...@gmail.com on 7 Aug 2012 at 8:40
GoogleCodeExporter
commented
9 years ago I was using ESAPI for output encoding only, and switched to the OWASP Reform
library. If you only need encoding, I would check it out:
https://www.owasp.org/index.php/Category:OWASP_Encoding_ProjectOriginal comment by patrick....@gmail.com on 8 Aug 2012 at 7:29
GoogleCodeExporter
commented
9 years ago This issue is already fixed in ESAPI 2.x and ESAPI 1.4.x is no longer
supported. Even if this issue were to be fixed in ESAPI 1.4.x, it would still
leave many other bugs--some of which are security issues--as unfixed.
Therefore, this bug nor any others that are specific to ESAPI 1.4.x, will be
fixed.Original comment by kevin.w.wall@gmail.com on 2 Sep 2014 at 12:35
Original issue reported on code.google.com by
patrick....@gmail.comon 26 Aug 2010 at 12:36Attachments: