search

spring-guides / gs-uploading-files

Uploading Files :: Learn how to build a Spring application that accepts multi-part file uploads.
http://spring.io/guides/gs/uploading-files/
Apache License 2.0
469 stars 503 forks source link

Fix Security Issue #26

Closed xenoterracide closed 8 years ago

xenoterracide commented 8 years ago

The short is that if somehow there were a malicious class on the classpath having the field be public and static would allow any class to change it. It would be better if the tutorial didn't use this. I don't actually think the constant needs to be public.

from findbugs

Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.

pivotal-issuemaster commented 8 years ago

@xenoterracide Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

pivotal-issuemaster commented 8 years ago

@xenoterracide Thank you for signing the Contributor License Agreement!

gregturn commented 8 years ago

Thanks for your patch to make the value final. It does need to be visible to both classes. This could arguably be made package private, but not critical for the guide.