owner matches the user name of the currently-authenticated user.
...
string userName = identity.User;
string itemName = apiGatewayProxyRequest.QueryStringParameters['item'];
string statement = $"SELECT * FROM items WHERE owner = '{userName}' AND itemname = '{itemName}'";
var executeStatementRequest = new ExecuteStatementRequest();
executeStatementRequest.Statement = statement;
var executeStatementResponse = await dynamoDBClient.ExecuteStatementAsync(executeStatementRequest);
return displayResults(executeStatementResponse.Items);
...
SELECT * FROM items
WHERE owner = <userName>
AND itemname = <itemName>;
itemName does not contain a single-quote character. If an attacker with the user name wiley enters the string "name' OR 'a'='a" for itemName, then the query becomes the following:
SELECT * FROM items
WHERE owner = 'wiley'
AND itemname = 'name' OR 'a'='a';
OR 'a'='a' condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query:owner matches the user name of the currently-authenticated user.
...
String userName = identity.getUser();
String itemName = apiGatewayProxyRequest.getQueryStringParameters('item');
String statement = String.format("SELECT * FROM items WHERE owner = '%s' AND itemname = '%s'", userName, itemName);
ExecuteStatementRequest executeStatementRequest = new ExecuteStatementRequest();
executeStatementRequest.setStatement(statement);
ExecuteStatementResponse executeStatementResponse = dynamoDBClient.executeStatement(executeStatementRequest);
return displayResults(executeStatementResponse.items());
...
SELECT * FROM items
WHERE owner = <userName>
AND itemname = <itemName>;
itemName does not contain a single-quote character. If an attacker with the user name wiley enters the string "name' OR 'a'='a" for itemName, then the query becomes the following:
SELECT * FROM items
WHERE owner = 'wiley'
AND itemname = 'name' OR 'a'='a';
OR 'a'='a' condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query:doSecurityCheck() performs a security check and can be overridden by a child class.
public class BadSecurityCheck {
private int id;
public BadSecurityCheck() {
doSecurityCheck();
id = 1;
}
protected void doSecurityCheck() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SomePermission("SomeAction"));
}
}
}
SecurityManager permission is not allowed, a SecurityException exception will be thrown, which is a runtime exception and will stop the program from executing any further. Since BadSecurityCheck is not final, and the method doSecurityCheck() is protected and not final, it means that this class can be subclassed to override this function.doSecurityCheck() is overridden by a subclass:
public class EvilSubclass extends BadSecurityCheck {
private int id;
public EvilSubclass() {
super();
}
protected void doSecurityCheck() {
//do nothing
}
}
EvilSubclass is instantiated, the constructor first calls super(), to invoke the constructor of the superclass. This in turn calls the function doSecurityCheck(), but Java will first look for the function within the subclass prior to looking in the superclass, thus invoking the attacker controlled method that bypasses the security check, so id will still be set to 1.http://www.example.com/sws/manager.pl?add&pass=PassWord
...
string hashname = ConfigurationManager.AppSettings["hash"];
...
HashAlgorithm ha = HashAlgorithm.Create(hashname);
...
Example 1 will run successfully, but anyone who can get to this functionality will be able to manipulate the hash algorithm by modifying the property hash. After the program ships, it can be nontrivial to undo an issue regarding user-controlled algorithms, as it is extremely difficult to know if a malicious user determined the algorithm parameter of a specific cryptographic hash.
...
Properties prop = new Properties();
prop.load(new FileInputStream("config.properties"));
String algorithm = prop.getProperty("hash");
...
MessageDigest messageDigest = MessageDigest.getInstance(algorithm);
messageDigest.update(hashInput.getBytes("UTF-8"));
...
Example 1 will run successfully, but anyone who can get to this functionality will be able to manipulate the hash algorithm by modifying the property hash. After the program ships, it can be nontrivial to undo an issue regarding user-controlled algorithms, as it is extremely difficult to know if a malicious user determined the algorithm parameter of a specific cryptographic hash.
require 'openssl'
require 'csv'
...
CSV.read(my_file).each do |row|
...
hash = row[4]
...
digest = OpenSSL::Digest.new(hash, data)
...
end
Example 1 will run successfully, but anyone who can get to this functionality will be able to manipulate the hash algorithm by modifying the hash from the CSV file. After the program ships, it can be nontrivial to undo an issue regarding user-controlled algorithms, as it is extremely difficult to know if a malicious user determined the algorithm parameter of a specific cryptographic hash.
...
// "type" parameter expected to be either: "Email" or "Username"
string type = request["type"];
string value = request["value"];
string password = request["password"];
var ddb = new AmazonDynamoDBClient();
var attrValues = new Dictionary<string,AttributeValue>();
attrValues[":value"] = new AttributeValue(value);
attrValues[":password"] = new AttributeValue(password);
var scanRequest = new ScanRequest();
scanRequest.FilterExpression = type + " = :value AND Password = :password";
scanRequest.TableName = "users";
scanRequest.ExpressionAttributeValues = attrValues;
var scanResponse = await ddb.ScanAsync(scanRequest);
...
Email = :value AND Password = :password
Username = :value AND Password = :password
type only contains any of the expected values. If an attacker provides a type value such as :value = :value OR :value, then the query becomes the following::value = :value OR :value = :value AND Password = :password
:value = :value condition causes the where clause to always evaluate to true, so the query returns all entries stored in the users collection, regardless of the email owner.
...
// "type" parameter expected to be either: "Email" or "Username"
String type = request.getParameter("type")
String value = request.getParameter("value")
String password = request.getParameter("password")
DynamoDbClient ddb = DynamoDbClient.create();
HashMap<String, AttributeValue> attrValues = new HashMap<String,AttributeValue>();
attrValues.put(":value", AttributeValue.builder().s(value).build());
attrValues.put(":password", AttributeValue.builder().s(password).build());
ScanRequest queryReq = ScanRequest.builder()
.filterExpression(type + " = :value AND Password = :password")
.tableName("users")
.expressionAttributeValues(attrValues)
.build();
ScanResponse response = ddb.scan(queryReq);
...
Email = :value AND Password = :password
Username = :value AND Password = :password
type only contains any of the expected values. If an attacker provides a type value such as :value = :value OR :value, then the query becomes the following::value = :value OR :value = :value AND Password = :password
:value = :value condition causes the where clause to always evaluate to true, so the query returns all entries stored in the users collection, regardless of the email owner.VRFY command that is sent to the SMTP server. An attacker might use this parameter to modify the command sent to the server and inject new commands using CRLF characters.
...
c, err := smtp.Dial(x)
if err != nil {
log.Fatal(err)
}
user := request.FormValue("USER")
c.Verify(user)
...
VRFY command that is sent to the SMTP server. An attacker may use this parameter to modify the command sent to the server and inject new commands using CRLF characters.
...
String user = request.getParameter("user");
SMTPSSLTransport transport = new SMTPSSLTransport(session,new URLName(Utilities.getProperty("smtp.server")));
transport.connect(Utilities.getProperty("smtp.server"), username, password);
transport.simpleCommand("VRFY " + user);
...
VRFY command that is sent to the SMTP server. An attacker may use this parameter to modify the command sent to the server and inject new commands using CRLF characters.
...
user = request.GET['user']
session = smtplib.SMTP(smtp_server, smtp_tls_port)
session.ehlo()
session.starttls()
session.login(username, password)
session.docmd("VRFY", user)
...
Null encryption keys can compromise security in a way that is not easy to remedy.null encryption key because it significantly reduces the protection afforded by a good encryption algorithm, but it also makes fixing the problem extremely difficult. After the offending code is in production, a software patch is required to change the null encryption key. If an account that is protected by the null encryption key is compromised, the owners of the system must choose between security and availability.null encryption key:
...
var encryptionKey:ByteArray = null;
...
var aes.ICipher = Crypto.getCipher("aes-cbc", encryptionKey, padding);
...
null encryption key, but anyone with even basic cracking techniques is much more likely to successfully decrypt any encrypted data. After the application has shipped, a software patch is required to change the null encryption key. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null encryption key.Null encryption keys can compromise security in a way that is not easy to remedy.null encryption key. Not only does using a null encryption key significantly reduce the protection afforded by a good encryption algorithm, but it also makes fixing the problem extremely difficult. After the offending code is in production, a software patch is required to change the null encryption key. If an account protected by the null encryption key is compromised, the owners of the system must choose between security and availability.null encryption key:
...
char encryptionKey[] = null;
...
null encryption key, but anyone with even basic cracking techniques is much more likely to successfully decrypt any encrypted data. After the program ships, a software patch is required to change the null encryption key. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null encryption key.null encryption key because it significantly reduces the protection afforded by a good encryption algorithm, and it is extremely difficult to fix the problem. After the offending code is in production, changing the null encryption key requires a software patch. If an account that is protected by the null encryption key is compromised, the owners of the system must choose between security and availability.null encryption key:
...
aes.NewCipher(nil)
...
null encryption key. Additionally, anyone with even basic cracking techniques is much more likely to successfully decrypt any encrypted data. After the application has shipped, a software patch is required to change the null encryption key. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null encryption key.null encryption key because it significantly reduces the protection afforded by a good encryption algorithm, but it also makes fixing the problem extremely difficult. After the offending code is in production, a software patch is required to change the null encryption key. If an account that is protected by the null encryption key is compromised, the owners of the system must choose between security and availability.null encryption key:
...
SecretKeySpec key = null;
....
Cipher encryptCipher = Cipher.getInstance("AES");
encryptCipher.init(Cipher.ENCRYPT_MODE, key);
...
null encryption key, but anyone with even basic cracking techniques is much more likely to successfully decrypt any encrypted data. After the application has shipped, a software patch is required to change the null encryption key. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null encryption key.null encryption key because it significantly reduces the protection afforded by a good encryption algorithm, but it also makes fixing the problem extremely difficult. After the offending code is in production, a software patch is required to change the null encryption key. If an account that is protected by the null encryption key is compromised, the owners of the system must choose between security and availability.null encryption key:
...
var crypto = require('crypto');
var encryptionKey = null;
var algorithm = 'aes-256-ctr';
var cipher = crypto.createCipher(algorithm, encryptionKey);
...
null encryption key, but anyone with even basic cracking techniques is much more likely to successfully decrypt any encrypted data. After the application has shipped, a software patch is required to change the null encryption key. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null encryption key.null encryption key because it significantly reduces the protection afforded by a good encryption algorithm, but it also makes fixing the problem extremely difficult. After the offending code is in production, a software patch is required to change the null encryption key. If an account that is protected by the null encryption key is compromised, the owners of the system must choose between security and availability.null encryption key:
...
CCCrypt(kCCEncrypt,
kCCAlgorithmAES,
kCCOptionPKCS7Padding,
nil,
0,
iv,
plaintext,
sizeof(plaintext),
ciphertext,
sizeof(ciphertext),
&numBytesEncrypted);
...
null encryption key, but anyone with even basic cracking techniques is much more likely to successfully decrypt any encrypted data. After the application has shipped, a software patch is required to change the null encryption key. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null encryption key.null to encryption key variables is a bad idea because it can allow attackers to expose sensitive and encrypted information. Not only does using a null encryption key significantly reduce the protection afforded by a good encryption algorithm, but it also makes fixing the problem extremely difficult. After the offending code is in production, a software patch is required to change the null encryption key. If an account protected by the null encryption key is compromised, the owners of the system must choose between security and availability.null.
...
$encryption_key = NULL;
$filter = new Zend_Filter_Encrypt($encryption_key);
$filter->setVector('myIV');
$encrypted = $filter->filter('text_to_be_encrypted');
print $encrypted;
...
null encryption key, and anyone employing even basic cracking techniques is much more likely to successfully decrypt any encrypted data. After the program ships, a software patch is required to change the null encryption key. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null encryption key.null encryption key because it significantly reduces the protection afforded by a good encryption algorithm, but it also makes fixing the problem extremely difficult. After the offending code is in production, a software patch is required to change the null encryption key. If an account that is protected by the null encryption key is compromised, the owners of the system must choose between security and availability.null encryption key, but anyone with even basic cracking techniques is much more likely to successfully decrypt any encrypted data. After the application has shipped, a software patch is required to change the null encryption key. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null encryption key.None to encryption key variables is a bad idea because it can allow attackers to expose sensitive and encrypted information. Not only does using a null encryption key significantly reduce the protection afforded by a good encryption algorithm, but it also makes fixing the problem extremely difficult. After the offending code is in production, a software patch is required to change the null encryption key. If an account protected by the null encryption key is compromised, the owners of the system must choose between security and availability.null.
...
from Crypto.Ciphers import AES
cipher = AES.new(None, AES.MODE_CFB, iv)
msg = iv + cipher.encrypt(b'Attack at dawn')
...
null encryption key, and anyone employing even basic cracking techniques is much more likely to successfully decrypt any encrypted data. After the program ships, a software patch is required to change the null encryption key. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null encryption key.null encryption key. Not only does using a null encryption key significantly reduce the protection afforded by a good encryption algorithm, but it also makes fixing the problem extremely difficult. After the offending code is in production, a software patch is required to change the null encryption key. If an account protected by the null encryption key is compromised, the owners of the system must choose between security and availability.null encryption key, and anyone employing even basic cracking techniques is much more likely to successfully decrypt any encrypted data. After the program ships, a software patch is required to change the null encryption key. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null encryption key.Null encryption keys can compromise security in a way that is not easy to remedy.null encryption key. Not only does using a null encryption key significantly reduce the protection afforded by a good encryption algorithm, but it also makes fixing the problem extremely difficult. After the offending code is in production, a software patch is required to change the null encryption key. If an account protected by the null encryption key is compromised, the owners of the system must choose between security and availability.null encryption key:
...
CCCrypt(UInt32(kCCEncrypt),
UInt32(kCCAlgorithmAES128),
UInt32(kCCOptionPKCS7Padding),
nil,
0,
iv,
plaintext,
plaintext.length,
ciphertext.mutableBytes,
ciphertext.length,
&numBytesEncrypted)
...
null encryption key, but anyone with even basic cracking techniques is much more likely to successfully decrypt any encrypted data. After the program ships, a software patch is required to change the null encryption key. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null encryption key.null encryption key because it significantly reduces the protection afforded by a good encryption algorithm, but it also makes fixing the problem extremely difficult. After the offending code is in production, a software patch is required to change the null encryption key. If an account that is protected by the null encryption key is compromised, the owners of the system must choose between security and availability.null encryption key:
...
Dim encryptionKey As String
Set encryptionKey = vbNullString
Dim AES As New System.Security.Cryptography.RijndaelManaged
On Error GoTo ErrorHandler
AES.Key = System.Text.Encoding.ASCII.GetBytes(encryptionKey)
...
Exit Sub
...
null encryption key, but anyone with even basic cracking techniques is much more likely to successfully decrypt any encrypted data. After the application has shipped, a software patch is required to change the null encryption key. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null encryption key.null password may compromise system security in a way that is not easy to remedy.null value as the password argument to a cryptographic password-based key derivation function. In this scenario, the resulting derived key will be based solely on the provided salt (rendering it significantly weaker), and fixing the problem is extremely difficult. After the offending code is in production, the null password often cannot be changed without patching the software. If an account protected by a derived key based on a null password is compromised, the owners of the system might be forced to choose between security and availability.null value as the password argument to a cryptographic password-based key derivation function:
...
var encryptor = new StrongPasswordEncryptor();
var encryptedPassword = encryptor.encryptPassword(null);
...
null password argument, but anyone with even basic cracking techniques is much more likely to successfully gain access to any resources protected by the offending keys. If an attacker also has access to the salt value used to generate any of the keys based on a null password, cracking those keys becomes trivial. After the program ships, there is likely no way to change the null password unless the program is patched. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null password.null password may compromise system security in a way that is not easy to remedy.null value as the password argument to a cryptographic password-based key derivation function. In this scenario, the resulting derived key will be based solely on the provided salt (rendering it significantly weaker), and fixing the problem is extremely difficult. After the offending code is in production, the null password often cannot be changed without patching the software. If an account protected by a derived key based on a null password is compromised, the owners of the system might be forced to choose between security and availability.null value as the password argument to a cryptographic password-based key derivation function:
...
CCKeyDerivationPBKDF(kCCPBKDF2,
nil,
0,
salt,
saltLen
kCCPRFHmacAlgSHA256,
100000,
derivedKey,
derivedKeyLen);
...
null password argument, but anyone with even basic cracking techniques is much more likely to successfully gain access to any resources protected by the offending keys. If an attacker also has access to the salt value used to generate any of the keys based on a null password, cracking those keys becomes trivial. After the program ships, there is likely no way to change the null password unless the program is patched. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null password.null password may compromise system security in a way that is not easy to remedy.null value as the password argument to a cryptographic password-based key derivation function. In this scenario, the resulting derived key will be based solely on the provided salt (rendering it significantly weaker), and fixing the problem is extremely difficult. After the offending code is in production, the null password often cannot be changed without patching the software. If an account protected by a derived key based on a null password is compromised, the owners of the system might be forced to choose between security and availability.null value as the password argument to a cryptographic password-based key derivation function:
...
CCKeyDerivationPBKDF(CCPBKDFAlgorithm(kCCPBKDF2),
nil,
0,
salt,
saltLen,
CCPseudoRandomAlgorithm(kCCPRFHmacAlgSHA256),
100000,
derivedKey,
derivedKeyLen)
...
null password argument, but anyone with even basic cracking techniques is much more likely to successfully gain access to any resources protected by the offending keys. If an attacker also has access to the salt value used to generate any of the keys based on a null password, cracking those keys becomes trivial. After the program ships, there is likely no way to change the null password unless the program is patched. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null password.script tag:
<script src="http://www.example.com/js/fancyWidget.js"></script>
www.example.com to load their own JavaScript.null (nil) salt can compromise system security in a way that is not easy to remedy.null (nil) salt. Not only does using a null salt make it significantly easier to determine the hashed values, it also makes fixing the problem extremely difficult. After the code is in production, the salt cannot be easily changed. If attackers figure out that values are hashed with a null salt, they can compute "rainbow tables" for the application and more easily determine the hashed values.null (nil) salt:
...
CCKeyDerivationPBKDF(kCCPBKDF2,
password,
passwordLen,
nil,
0,
kCCPRFHmacAlgSHA256,
100000,
derivedKey,
derivedKeyLen);
...
null salt. After the program ships, there is likely no way to change the null salt. An employee with access to this information can use it to break into the system.null (None) salt can compromise system security in a way that is not easy to remedy.null (None) salt. Not only does using a null salt make it significantly easier to determine the hashed values, it also makes fixing the problem extremely difficult. After the code is in production, the salt cannot be easily changed. If attackers figure out that values are hashed with a null salt, they can compute "rainbow tables" for the application and more easily determine the hashed values.null (None) salt:
import hashlib, binascii
from django.utils.crypto import pbkdf2
def register(request):
password = request.GET['password']
username = request.GET['username']
dk = pbkdf2(password, None, 100000)
hash = binascii.hexlify(dk)
store(username, hash)
...
null salt. After the program ships, there is likely no way to change the null salt. An employee with access to this information can use it to break into the system.null (nil) salt can compromise system security in a way that is not easy to remedy.null (nil) salt. Not only does using a null salt make it significantly easier to determine the hashed values, it also makes fixing the problem extremely difficult. After the code is in production, the salt cannot be easily changed. If attackers figure out that values are hashed with a null salt, they can compute "rainbow tables" for the application and more easily determine the hashed values.null (nil) salt:
...
let ITERATION = UInt32(100000)
...
CCKeyDerivationPBKDF(CCPBKDFAlgorithm(kCCPBKDF2),
password,
passwordLength,
nil,
0,
CCPseudoRandomAlgorithm(kCCPRFHmacAlgSHA256),
ITERATION,
derivedKey,
derivedKeyLength)
...
null salt. After the program ships, there is likely no way to change the null salt. An employee with access to this information can use it to break into the system.GET instead of POST method to send data to the server.GET method allow the URL and request parameters to be cached in the browser's URL cache, intermediary proxies, and server logs. This could expose sensitive information to individuals who do not have appropriate rights to the data.Example 2: If the application uses NSURLRequest then the default HTTP method is GET.
...
NSString * const USER_URL = @"https://www.somesvr.com/someapp/user";
...
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:USER_URL]];
[request setHTTPMethod:@"GET"];
...
...
NSURLRequest *theRequest=[NSURLRequest requestWithURL:[NSURL URLWithString:@"http://www.apple.com/"]
cachePolicy:NSURLRequestUseProtocolCachePolicy
timeoutInterval:60.0];
NSURLConnection *theConnection=[[NSURLConnection alloc] initWithRequest:theRequest delegate:self];
if (theConnection) {
// Create the NSMutableData to hold the received data.
// receivedData is an instance variable declared elsewhere.
receivedData = [[NSMutableData data] retain];
} else {
...
GET instead of POST method to send data to the server.GET method allow the URL and request parameters to be cached in the browser's URL cache, intermediary proxies, and server logs. This could expose sensitive information to individuals who do not have appropriate rights to the data.
...
$client = new Zend_Http_Client('https://www.example.com/fetchdata.php');
$client->request(Zend_Http_Client::GET);
...
GET instead of POST method to send data to the server.GET method allow the URL and request parameters to be cached in the browser's URL cache, intermediary proxies, and server logs. This could expose sensitive information to individuals who do not have appropriate rights to the data.Example 2: If the application uses NSURLRequest then the default HTTP method is GET.
...
let url = NSURL(string: "https://www.somesvr.com/someapp/user")
let request = NSMutableURLRequest(URL: url!)
request.HTTPMethod = "GET"
let connection = NSURLConnection(request:request, delegate:self)
...
...
let url = NSURL(string: "https://www.somesvr.com/someapp/user")
let request = NSURLRequest(URL: url!)
let connection = NSURLConnection(request:request, delegate:self)
...
clone() method.clone() method is invoked, the constructor for the class being cloned is not invoked. Thus, if a SecurityManager or AccessController check is present in the constructor of a cloneable class, the same check must also be present in the clone method of the class. Otherwise, the security check will be bypassed when the class is cloned.SecurityManager check in the constructor but not in the clone() method.
public class BadSecurityCheck implements Cloneable {
private int id;
public BadSecurityCheck() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new BadPermission("BadSecurityCheck"));
}
id = 1;
}
public Object clone() throws CloneNotSupportedException {
BadSecurityCheck bsm = (BadSecurityCheck)super.clone();
return null;
}
}
<apex:page controller="accessControl">
<apex:pageBlock >
<apex:pageBlockSection >
<apex:outputText value="Survey Name: "/>
<apex:inputText value="{!surveyName}"/>
</apex:pageBlockSection>
<apex:pageBlockSection >
<apex:outputText value="New Name: "/>
<apex:inputText value="{!newSurveyName}"/>
</apex:pageBlockSection>
<apex:pageBlockSection >
<apex:commandButton value="Update" action="{!updateName}"/>
</apex:pageBlockSection>
</apex:pageBlock>
</apex:page>
public String surveyName { get; set; }
public String newSurveyName { get; set; }
public PageReference updateName() {
Survey__c s = [SELECT Name FROM Survey__c WHERE Name=:surveyName];
s.Name = newSurveyName;
update s;
PageReference page = ApexPages.currentPage();
page.setRedirect(true);
return page;
}
BinaryFormatter class.BinaryFormatter class to turn an object into a binary stream that contains both the object itself and the necessary metadata to reconstruct it during deserialization.BinaryFormatter class can lead to insecure deserialization scenarios where attackers can execute arbitrary code, abuse application logic, or trigger a denial of service condition. BinaryFormatter type is dangerous and is not recommended for data processing, as it cannot be made secure.BinaryFormatter class by setting the config property EnableUnsafeBinaryFormatterSerialization to true in the runtimeConfig.json file.
...
AppContext.SetSwitch("System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization", true);
...
BinaryFormatter class.BinaryFormatter class to turn an object into a binary stream that contains both the object itself and the necessary metadata to reconstruct it during deserialization.BinaryFormatter class can lead to insecure deserialization scenarios where attackers can execute arbitrary code, abuse application logic, or trigger a denial of service condition. BinaryFormatter class is dangerous and is not recommended for data processing, as it cannot be made secure.BinaryFormatter class by setting the config property EnableUnsafeBinaryFormatterSerialization to true in the runtimeConfig.json file.
{
"configProperties": {
"System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization": true
}
}
items property that shares pasteboard content between the user's devices by default via Universal Clipboard.Example 2: In the following code, data is written to the general pasteboard by calling the
...
UIPasteboard *pasteboard = [UIPasteboard generalPasteboard];
NSDictionary *items = @{
UTTypePlainText : sensitiveDataString,
UTTypePNG : [UIImage imageWithData:medicalImageData]
};
[pasteboard setItems: @[items]];
...
setObjects:localOnly:expirationDate: method with Universal Clipboard behavior explicitly enabled by setting the localOnly parameter to NO.
...
UIPasteboard *pasteboard = [UIPasteboard generalPasteboard];
[pasteboard setObjects:@[sensitiveDataString, [UIImage imageWithData:medicalImageData]]
localOnly:NO
expirationDate:[NSDate distantFuture]];
...
setItems(_:options:) method which shares pasteboard content between the user's devices by default via Universal Clipboard.Example 2: In the following code, data is written to the general pasteboard using the
...
let pasteboard = UIPasteboard.general
let items: [[String: Any]] = [
["text": sensitiveDataString],
["image": UIImage(data: medicalImageData)!]
]
pasteboard.setItems(items)
...
setObjects(_:localOnly:expirationDate:) method with Universal Clipboard behavior explicitly enabled by setting the localOnly parameter to false.
...
let pasteboard = UIPasteboard.general
let items: [Any] = [
sensitiveDataString,
UIImage(data: medicalImageData)!
]
pasteboard.setObjects([items], localOnly: false, expirationDate: Date.distantFuture)
...