webview 中載入一個頁面,但不實作任何控制來阻止造訪惡意網站時出現的自動撥號攻擊。webview 來載入可能包含不可信賴連結的網站,但未指定能夠驗證此 webview 中啟動的要求的委派:
...
NSURL *webUrl = [[NSURL alloc] initWithString:@"https://some.site.com/"];
NSURLRequest *webRequest = [[NSURLRequest alloc] initWithURL:webUrl];
[_webView loadRequest:webRequest];
...
webview 中載入一個頁面,但不實作任何控制來阻止造訪惡意網站時出現的自動撥號攻擊。webview 來載入可能包含不可信賴連結的網站,但未指定能夠驗證此 webview 中啟動的要求的委派:
...
let webUrl : NSURL = NSURL(string: "https://some.site.com/")!
let webRequest : NSURLRequest = NSURLRequest(URL: webUrl)
webView.loadRequest(webRequest)
...
webview 中載入一個頁面,但不會實作任何控制來確認和驗證使用者能夠點選的連結。webview 來載入可能包含不可信賴連結的網站,但未指定能夠驗證此 webview 中啟動的要求的委派:
...
NSURL *webUrl = [[NSURL alloc] initWithString:@"https://some.site.com/"];
NSURLRequest *webRequest = [[NSURLRequest alloc] initWithURL:webUrl];
[webView loadRequest: webRequest];
webview 中載入一個頁面,但不會實作任何控制來確認和驗證使用者能夠點選的連結。webview 來載入可能包含不可信賴連結的網站,但未指定能夠驗證此 webview 中啟動的要求的委派:
...
let webUrl = URL(string: "https://some.site.com/")!
let urlRequest = URLRequest(url: webUrl)
webView.load(webRequest)
...
...
DATA log_msg TYPE bal_s_msg.
val = request->get_form_field( 'val' ).
log_msg-msgid = 'XY'.
log_msg-msgty = 'E'.
log_msg-msgno = '123'.
log_msg-msgv1 = 'VAL: '.
log_msg-msgv2 = val.
CALL FUNCTION 'BAL_LOG_MSG_ADD'
EXPORTING
I_S_MSG = log_msg
EXCEPTIONS
LOG_NOT_FOUND = 1
MSG_INCONSISTENT = 2
LOG_IS_FULL = 3
OTHERS = 4.
...
val 的字串「FOO」,則會記錄以下項目:
XY E 123 VAL: FOO
FOO XY E 124 VAL: BAR」,則會記錄以下的項目:
XY E 123 VAL: FOO XY E 124 VAL: BAR
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var val:String = String(params["username"]);
var value:Number = parseInt(val);
if (value == Number.NaN) {
trace("Failed to parse val = " + val);
}
val 的字串「twenty-one」,則會記錄以下項目:
Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy」,則會記錄以下的項目:
Failed to parse val=twenty-one
User logged out=badguy
...
string val = (string)Session["val"];
try {
int value = Int32.Parse(val);
}
catch (FormatException fe) {
log.Info("Failed to parse val= " + val);
}
...
val 的字串「twenty-one」,則會記錄以下項目:
INFO: Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy」,則會記錄以下的項目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
long value = strtol(val, &endPtr, 10);
if (*endPtr != '\0')
syslog(LOG_INFO,"Illegal value = %s",val);
...
val 的字串「twenty-one」,則會記錄以下項目:
Illegal value=twenty-one
twenty-one\n\nINFO: User logged out=evil」,則會記錄以下的項目:
INFO: Illegal value=twenty-one
INFO: User logged out=evil
...
01 LOGAREA.
05 VALHEADER PIC X(50) VALUE 'VAL: '.
05 VAL PIC X(50).
...
EXEC CICS
WEB READ
FORMFIELD(NAME)
VALUE(VAL)
...
END-EXEC.
EXEC DLI
LOG
FROM(LOGAREA)
LENGTH(50)
END-EXEC.
...
VAL 的字串「FOO」,則會記錄以下項目:
VAL: FOO
FOO VAL: BAR」,則會記錄以下的項目:
VAL: FOO VAL: BAR
<cflog file="app_log" application="No" Thread="No"
text="Failed to parse val="#Form.val#">
val 的字串「twenty-one」,則會記錄以下項目:
"Information",,"02/28/01","14:50:37",,"Failed to parse val=twenty-one"
twenty-one%0a%0a%22Information%22%2C%2C%2202/28/01%22%2C%2214:53:40%22%2C%2C%22User%20logged%20out:%20badguy%22」,則會記錄以下的項目:
"Information",,"02/28/01","14:50:37",,"Failed to parse val=twenty-one"
"Information",,"02/28/01","14:53:40",,"User logged out: badguy"
func someHandler(w http.ResponseWriter, r *http.Request){
r.parseForm()
name := r.FormValue("name")
logout := r.FormValue("logout")
...
if (logout){
...
} else {
log.Printf("Attempt to log out: name: %s logout: %s", name, logout)
}
}
twenty-one」給 logout,且能夠建立名稱為「admin」的使用者,則會記錄以下項目:
Attempt to log out: name: admin logout: twenty-one
admin+logout:+1+++++++++++++++++++++++」這個使用者名稱,則會記錄以下項目:
Attempt to log out: name: admin logout: 1 logout: twenty-one
...
String val = request.getParameter("val");
try {
int value = Integer.parseInt(val);
}
catch (NumberFormatException nfe) {
log.info("Failed to parse val = " + val);
}
...
val 的字串「twenty-one」,則會記錄以下項目:
INFO: Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy」,則會記錄以下的項目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
Example 1 以適用於 Android 平台。
...
String val = this.getIntent().getExtras().getString("val");
try {
int value = Integer.parseInt();
}
catch (NumberFormatException nfe) {
Log.e(TAG, "Failed to parse val = " + val);
}
...
var cp = require('child_process');
var http = require('http');
var url = require('url');
function listener(request, response){
var val = url.parse(request.url, true)['query']['val'];
if (isNaN(val)){
console.log("INFO: Failed to parse val = " + val);
}
...
}
...
http.createServer(listener).listen(8080);
...
val 的字串「twenty-one」,則會記錄以下項目:
INFO: Failed to parse val = twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy」,則會記錄以下的項目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
long value = strtol(val, &endPtr, 10);
if (*endPtr != '\0')
NSLog("Illegal value = %s",val);
...
val 的字串「twenty-one」,則會記錄以下項目:
INFO: Illegal value=twenty-one
twenty-one\n\nINFO: User logged out=evil」,則會記錄以下的項目:
INFO: Illegal value=twenty-one
INFO: User logged out=evil
<?php
$name =$_GET['name'];
...
$logout =$_GET['logout'];
if(is_numeric($logout))
{
...
}
else
{
trigger_error("Attempt to log out: name: $name logout: $val");
}
?>
twenty-one」給 logout,且能夠建立名稱為「admin」的使用者,則會記錄以下項目:
PHP Notice: Attempt to log out: name: admin logout: twenty-one
admin+logout:+1+++++++++++++++++++++++」這個使用者名稱,則會記錄以下項目:
PHP Notice: Attempt to log out: name: admin logout: 1 logout: twenty-one
name = req.field('name')
...
logout = req.field('logout')
if (logout):
...
else:
logger.error("Attempt to log out: name: %s logout: %s" % (name,logout))
twenty-one」給 logout,且能夠建立名稱為「admin」的使用者,則會記錄以下項目:
Attempt to log out: name: admin logout: twenty-one
admin+logout:+1+++++++++++++++++++++++」這個使用者名稱,則會記錄以下項目:
Attempt to log out: name: admin logout: 1 logout: twenty-one
...
val = req['val']
unless val.respond_to?(:to_int)
logger.info("Failed to parse val")
logger.info(val)
end
...
val 的字串「twenty-one」,則會記錄以下項目:
INFO: Failed to parse val
INFO: twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy」,則會記錄以下的項目:
INFO: Failed to parse val
INFO: twenty-one
INFO: User logged out=badguy
...
let num = Int(param)
if num == nil {
NSLog("Illegal value = %@", param)
}
...
val 的字串「twenty-one」,則會記錄以下項目:
INFO: Illegal value = twenty-one
twenty-one\n\nINFO: User logged out=evil」,則會記錄以下的項目:
INFO: Illegal value=twenty-one
INFO: User logged out=evil
...
Dim Val As Variant
Dim Value As Integer
Set Val = Request.Form("val")
If IsNumeric(Val) Then
Set Value = Val
Else
App.EventLog "Failed to parse val=" & Val, 1
End If
...
val 的字串「twenty-one」,則會記錄以下項目:
Failed to parse val=twenty-one
twenty-one%0a%0a+User+logged+out%3dbadguy」,則會記錄以下的項目:
Failed to parse val=twenty-one
User logged out=badguy
@HttpGet
global static void doGet() {
RestRequest req = RestContext.request;
String val = req.params.get('val');
try {
Integer i = Integer.valueOf(val);
...
} catch (TypeException e) {
System.Debug(LoggingLevel.INFO, 'Failed to parse val: '+val);
}
}
val 的字串「twenty-one」,則會記錄以下項目:
Failed to parse val: twenty-one
twenty-one%0a%0aUser+logged+out%3dbadguy」,則會記錄以下項目:
Failed to parse val: twenty-one
User logged out=badguy
...
String val = request.Params["val"];
try {
int value = Int.Parse(val);
}
catch (FormatException fe) {
log.Info("Failed to parse val = " + val);
}
...
val 的字串「twenty-one」,則會記錄以下項目:
INFO: Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy」,則會記錄以下項目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
Example 1 以適用於 Android 平台。
...
String val = this.Intent.Extras.GetString("val");
try {
int value = Int.Parse(val);
}
catch (FormatException fe) {
Log.E(TAG, "Failed to parse val = " + val);
}
...
...
var idValue string
idValue = req.URL.Query().Get("id")
num, err := strconv.Atoi(idValue)
if err != nil {
sysLog.Debug("Failed to parse value: " + idValue)
}
...
val 的字串「twenty-one」,則會記錄以下項目:
INFO: Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy」,則會記錄以下項目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
...
String val = request.getParameter("val");
try {
int value = Integer.parseInt(val);
}
catch (NumberFormatException nfe) {
log.info("Failed to parse val = " + val);
}
...
val 的字串「twenty-one」,則會記錄以下項目:
INFO: Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy」,則會記錄以下的項目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
Example 1 以適用於 Android 平台。
...
String val = this.getIntent().getExtras().getString("val");
try {
int value = Integer.parseInt();
}
catch (NumberFormatException nfe) {
Log.e(TAG, "Failed to parse val = " + val);
}
...
var cp = require('child_process');
var http = require('http');
var url = require('url');
function listener(request, response){
var val = url.parse(request.url, true)['query']['val'];
if (isNaN(val)){
console.error("INFO: Failed to parse val = " + val);
}
...
}
...
http.createServer(listener).listen(8080);
...
val 的字串「twenty-one」,則會記錄以下項目:
INFO: Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy」,則會記錄以下的項目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
...
val = request.GET["val"]
try:
int_value = int(val)
except:
logger.debug("Failed to parse val = " + val)
...
val 的字串「twenty-one」,則會記錄以下項目:
INFO: Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy」,則會記錄以下的項目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
...
val = req['val']
unless val.respond_to?(:to_int)
logger.debug("Failed to parse val")
logger.debug(val)
end
...
val 的字串「twenty-one」,則會記錄以下項目:
DEBUG: Failed to parse val
DEBUG: twenty-one
twenty-one%0a%DEBUG:+User+logged+out%3dbadguy」,則會記錄以下的項目:
DEBUG: Failed to parse val
DEBUG: twenty-one
DEBUG: User logged out=badguy
CREATE 指令。攻擊者可能使用此參數修改傳送至伺服器的指令,並使用 CRLF 字元插入新指令。
...
final String foldername = request.getParameter("folder");
IMAPFolder folder = (IMAPFolder) store.getFolder("INBOX");
...
folder.doCommand(new IMAPFolder.ProtocolCommand() {
@Override
public Object doCommand(IMAPProtocol imapProtocol) throws ProtocolException {
try {
imapProtocol.simpleCommand("CREATE " + foldername, null);
} catch (Exception e) {
// Handle Exception
}
return null;
}
});
...
USER 和 PASS 指令。攻擊者可能使用此參數修改傳送至伺服器的指令,並使用 CRLF 字元插入新指令。
...
String username = request.getParameter("username");
String password = request.getParameter("password");
...
POP3SClient pop3 = new POP3SClient(proto, false);
pop3.login(username, password)
...
VRFY 指令。攻擊者可能使用此參數修改傳送至伺服器的指令,並使用 CRLF 字元插入新指令。
...
c, err := smtp.Dial(x)
if err != nil {
log.Fatal(err)
}
user := request.FormValue("USER")
c.Verify(user)
...
VRFY 指令。攻擊者可能使用此參數修改傳送至伺服器的指令,並使用 CRLF 字元插入新指令。
...
String user = request.getParameter("user");
SMTPSSLTransport transport = new SMTPSSLTransport(session,new URLName(Utilities.getProperty("smtp.server")));
transport.connect(Utilities.getProperty("smtp.server"), username, password);
transport.simpleCommand("VRFY " + user);
...
VRFY 指令。攻擊者可能使用此參數修改傳送至伺服器的指令,並使用 CRLF 字元插入新指令。
...
user = request.GET['user']
session = smtplib.SMTP(smtp_server, smtp_tls_port)
session.ehlo()
session.starttls()
session.login(username, password)
session.docmd("VRFY", user)
...
RegisterModel 或 Details 類別中的任何屬性:
public ActionResult Register(RegisterModel model)
{
if (ModelState.IsValid)
{
try
{
return RedirectToAction("Index", "Home");
}
catch (MembershipCreateUserException e)
{
ModelState.AddModelError("", "");
}
}
return View(model);
}
RegisterModel 類別定義為:
public class RegisterModel
{
[BindRequired]
[Display(Name = "User name")]
public string UserName { get; set; }
[BindRequired]
[DataType(DataType.Password)]
[Display(Name = "Password")]
public string Password { get; set; }
[DataType(DataType.Password)]
[Display(Name = "Confirm password")]
public string ConfirmPassword { get; set; }
public Details Details { get; set; }
public RegisterModel()
{
Details = new Details();
}
}
Details 類別定義為:範例 2:在 ASP.NET MVC 或 Web API 應用程式中使用
public class Details
{
public bool IsAdmin { get; set; }
...
}
TryUpdateModel() 或 UpdateModel() 時,模型繫結器會根據預設,自動嘗試繫結所有 HTTP 要求參數:範例 3:在 ASP.NET 網頁表單應用程式中,使用
public ViewResult Register()
{
var model = new RegisterModel();
TryUpdateModel<RegisterModel>(model);
return View("detail", model);
}
TryUpdateModel() 或 UpdateModel() 搭配 IValueProvider 介面時,模型繫結器會自動嘗試繫結所有 HTTP 要求參數。
Employee emp = new Employee();
TryUpdateModel(emp, new System.Web.ModelBinding.FormValueProvider(ModelBindingExecutionContext));
if (ModelState.IsValid)
{
db.SaveChanges();
}
Employee 類別定義為:
public class Employee
{
public Employee()
{
IsAdmin = false;
IsManager = false;
}
public string Name { get; set; }
public string Email { get; set; }
public bool IsManager { get; set; }
public bool IsAdmin { get; set; }
}
Booking 類別中的任何屬性:
<view-state id="enterBookingDetails" model="booking">
<on-render>
<render fragments="body" />
</on-render>
<transition on="proceed" to="reviewBooking">
</transition>
<transition on="cancel" to="cancel" bind="false" />
</view-state>
Booking 類別定義為:
public class Booking implements Serializable {
private Long id;
private User user;
private Hotel hotel;
private Date checkinDate;
private Date checkoutDate;
private String creditCard;
private String creditCardName;
private int creditCardExpiryMonth;
private int creditCardExpiryYear;
private boolean smoking;
private int beds;
private Set<Amenity> amenities;
// Public Getters and Setters
...
}
Order、Customer 和 Profile 都是 Microsoft .NET 實體持續性類別。
public class Order {
public string ordered { get; set; }
public List<LineItem> LineItems { get; set; }
pubilc virtual Customer Customer { get; set; }
...
}
public class Customer {
public int CustomerId { get; set; }
...
public virtual Profile Profile { get; set; }
...
}
public class Profile {
public int profileId { get; set; }
public string username { get; set; }
public string password { get; set; }
...
}
OrderController 則是處理要求的 ASP.NET MVC 控制項類別:
public class OrderController : Controller{
StoreEntities db = new StoreEntities();
...
public String updateOrder(Order order) {
...
db.Orders.Add(order);
db.SaveChanges();
}
}
Order、Customer 及 Profile 都是 Hibernate 持續性類別。
public class Order {
String ordered;
List lineItems;
Customer cust;
...
}
public class Customer {
String customerId;
...
Profile p;
...
}
public class Profile {
String profileId;
String username;
String password;
...
}
OrderController 則是處理要求的 Spring 控制項類別:
@Controller
public class OrderController {
...
@RequestMapping("/updateOrder")
public String updateOrder(Order order) {
...
session.save(order);
}
}
[FromBody] 註解時,會仰賴 Input Formatter。[FromBody] 註解套用於某個動作的複雜參數,接著將 [Bind] 或 [BindNever] 等任何其他繫結屬性套用於參數類型或其任何欄位將被有效忽略時,這意味著使用繫結註解進行緩解是不可能的。[FromBody] 註解套用於某個動作的參數時,模型繫結器會自動嘗試使用 Input Formatter 繫結要求本文中所指定的所有參數。繫結器預設使用 JSON Input Formatter 嘗試繫結要求本文中的所有可能參數:
[HttpPost]
public ActionResult Create([FromBody] Product p)
{
return View(p.Name);
}
[FromBody] 註解時,對後續的 Product 類型套用的任何繫結註解 (例如 [Bind] 或 [BindNever]) 都會被忽略。
public class Product
{
...
public string Name { get; set; }
public bool IsAdmin { get; set; }
...
}
Register) 會從網頁表單存取,此表單會要求使用者提供名稱及密碼來註冊帳戶:
public ActionResult Register(RegisterModel model)
{
if (ModelState.IsValid)
{
try
{
return RedirectToAction("Index", "Home");
}
catch (MembershipCreateUserException e)
{
ModelState.AddModelError("", "");
}
}
return View(model);
}
RegisterModel 類別定義為:
public class RegisterModel
{
[BindRequired]
[Display(Name = "User name")]
public string UserName { get; set; }
[BindRequired]
[DataType(DataType.Password)]
[Display(Name = "Password")]
public string Password { get; set; }
[DataType(DataType.Password)]
[Display(Name = "Confirm password")]
public string ConfirmPassword { get; set; }
public Details Details { get; set; }
public RegisterModel()
{
Details = new Details();
}
}
Details 類別定義為:
public class Details
{
public bool IsAdmin { get; set; }
...
}
Example 1 中的情況,攻擊者可能會探索應用程式並發現 RegisterModel 模型中有一個 Details 屬性。若是如此,攻擊者接著可能會嘗試覆寫指派給其屬性的目前值。
name=John&password=****&details.is_admin=true
<struts-config>
<form-beans>
<form-bean name="dynaUserForm"
type="org.apache.struts.action.DynaActionForm" >
<form-property name="type" type="java.lang.String" />
<form-property name="user" type="com.acme.common.User" />
</form-bean>
...
User 類別定義為:
public class User {
private String name;
private String lastname;
private int age;
private Details details;
// Public Getters and Setters
...
}
Details 類別定義為:
public class Details {
private boolean is_admin;
private int id;
private Date login_date;
// Public Getters and Setters
...
}
Example 1 中的情況,攻擊者可能會探索應用程式並發現 User 模型中有一個 details 屬性。若是如此,攻擊者接著可能會嘗試覆寫指派給其屬性的目前值。
type=free&user.name=John&user.lastname=Smith&age=22&details.is_admin=true
...
TextClient tc = (TextClient)Client.GetInstance("127.0.0.1", 11211, MemcachedFlags.TextProtocol);
tc.Open();
string id = txtID.Text;
var result = get_page_from_somewhere();
var response = Http_Response(result);
tc.Set("req-" + id, response, TimeSpan.FromSeconds(1000));
tc.Close();
tc = null;
...
set req-1233 0 1000 n
<serialized_response_instance>
n 是回應的長度。ignore 0 0 1\r\n1\r\nset injected 0 3600 10\r\n0123456789\r\nset req- 字串,然後作業會變成如下所示:
set req-ignore 0 0 1
1
set injected 0 3600 10
0123456789
set req-1233 0 0 n
<serialized_response_instance>
injected=0123456789 快取中成功新增索引鍵/值組,所以攻擊者將能夠破壞快取。
...
def store(request):
id = request.GET['id']
result = get_page_from_somewhere()
response = HttpResponse(result)
cache_time = 1800
cache.set("req-" % id, response, cache_time)
return response
...
set req-1233 0 0 n
<serialized_response_instance>
ignore 0 0 1\r\n1\r\nset injected 0 3600 10\r\n0123456789\r\nset req- 字串,然後作業會變成如下所示:
set req-ignore 0 0 1
1
set injected 0 3600 10
0123456789
set req-1233 0 0 n
<serialized_response_instance>
injected=0123456789 快取中成功新增索引鍵/值組。視裝載而定,攻擊者將能夠透過插入由 Pickle 序列化的裝載 (在還原序列化之後會執行任意程式碼),破壞快取或執行任意程式碼。read() 時未能回傳預期的位元組數:
char* getBlock(int fd) {
char* buf = (char*) malloc(BLOCK_SIZE);
if (!buf) {
return NULL;
}
if (read(fd, buf, BLOCK_SIZE) != BLOCK_SIZE) {
return NULL;
}
return buf;
}
CALL "CBL_ALLOC_MEM"
USING mem-pointer
BY VALUE mem-size
BY VALUE flags
RETURNING status-code
END-CALL
IF status-code NOT = 0
DISPLAY "Error!"
GOBACK
ELSE
SET ADDRESS OF mem TO mem-pointer
END-IF
PERFORM write-data
IF ws-status-code NOT = 0
DISPLAY "Error!"
GOBACK
ELSE
DISPLAY "Success!"
END-IF
CALL "CBL_FREE_MEM"
USING BY VALUE mem-pointer
RETURNING status-code
END-CALL
GOBACK
.
dealloc() 方法中釋放記憶體。init() 方法中分配了記憶體,但無法在 deallocate() 方法中將其釋放,導致記憶體洩露:
- (void)init
{
myVar = [NSString alloc] init];
...
}
- (void)dealloc
{
[otherVar release];
}
realloc() 調整原始分配大小失敗時,洩露了分配記憶體區塊。
char* getBlocks(int fd) {
int amt;
int request = BLOCK_SIZE;
char* buf = (char*) malloc(BLOCK_SIZE + 1);
if (!buf) {
goto ERR;
}
amt = read(fd, buf, request);
while ((amt % BLOCK_SIZE) != 0) {
if (amt < request) {
goto ERR;
}
request = request + BLOCK_SIZE;
buf = realloc(buf, request);
if (!buf) {
goto ERR;
}
amt = read(fd, buf, request);
}
return buf;
ERR:
if (buf) {
free(buf);
}
return NULL;
}
realloc() 的呼叫未能調整原始配置的大小,則以下 Micro Focus COBOL 程式就會洩漏配置的記憶體區塊。
CALL "malloc" USING
BY VALUE mem-size
RETURNING mem-pointer
END-CALL
ADD 1000 TO mem-size
CALL "realloc" USING
BY VALUE mem-pointer
BY VALUE mem-size
RETURNING mem-pointer
END-CALL
IF mem-pointer <> null
CALL "free" USING
BY VALUE mem-pointer
END-CALL
END-IF
null 的函數回傳值。Equals() 成員函數前,不會檢查 Item 屬性回傳的字串是否為 null,可能會造成 null 解除參照。
string itemName = request.Item(ITEM_NAME);
if (itemName.Equals(IMPORTANT_ITEM)) {
...
}
...
null 值都沒有關係。null 的函數回傳值。malloc() 回傳的指標之前,並不會檢查記憶體是否已成功分配。
buf = (char*) malloc(req_size);
strncpy(buf, xfer, req_size);
malloc() 呼叫的失敗是由於 req_size 太大,或者因為在同一時刻有太多的要求需要被處理?或者是由於建立已久的記憶體洩露所引起的?若不處理此錯誤,我們將永遠不知道答案。null 的函數回傳值。compareTo() 成員函數前,不會檢查 getParameter() 傳回的字串是否為 null,可能會造成 null 解除參照。範例 2:以下程式碼顯示,設定為
String itemName = request.getParameter(ITEM_NAME);
if (itemName.compareTo(IMPORTANT_ITEM)) {
...
}
...
null 的系統特性,之後被程式設計人員錯誤地假設為始終會被定義,因而被解除參照。
System.clearProperty("os.name");
...
String os = System.getProperty("os.name");
if (os.equalsIgnoreCase("Windows 95") )
System.out.println("Not supported");
null 值都沒有關係。null 作比較,但是卻違反了這個規定。Object.equals()、Comparable.compareTo() 和 Comparator.compare() 方法時,如果其參數為 null,則必須傳回指定的值。若沒有遵守這個規定,將會導致無法預期的結果。equals() 方法的實作,不會將其參數與 null 比較。
public boolean equals(Object object)
{
return (toString().equals(object.toString()));
}
def form = Form(
mapping(
"name" -> text,
"age" -> number
)(UserData.apply)(UserData.unapply)
)
FormAction,但無法按照預期的要求驗證資料:範例 2:以下程式碼定義了 Spring WebFlow 動作狀態,但無法按照預期的要求驗證資料:
<bean id="customerCriteriaAction" class="org.springframework.webflow.action.FormAction">
<property name="formObjectClass"
value="com.acme.domain.CustomerCriteria" />
<property name="propertyEditorRegistrar">
<bean
class="com.acme.web.PropertyEditors" />
</property>
</bean>
<action-state>
<action bean="transferMoneyAction" method="bind" />
</action-state>
def form = Form(
mapping(
"name" -> text,
"age" -> number
)(UserData.apply)(UserData.unapply)
)
clone() 方法中也執行相同的檢查。clone() 方法時,不會呼叫正在複製的該類別建構函數。因此,如果可複製類別中的建構函數存有 SecurityManager 或 AccessController 檢查,在該類別的複製方法中也必須存有相同的檢查。否則,複製該類別後,就會略過安全檢查。SecurityManager 檢查,但在 clone() 方法中則沒有此檢查。
public class BadSecurityCheck implements Cloneable {
private int id;
public BadSecurityCheck() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new BadPermission("BadSecurityCheck"));
}
id = 1;
}
public Object clone() throws CloneNotSupportedException {
BadSecurityCheck bsm = (BadSecurityCheck)super.clone();
return null;
}
}
SecurityManager 檢查的可序列化類別必須在其 readObject() 和 readObjectNoData 方法中也執行相同的檢查。readObject() 方法時,不會呼叫該類別正在還原序列化的建構函數。因此,如果可序列化類別中的建構函數存有 SecurityManager 檢查,在 readObject() 與 readObjectNoData() 方式中也必須存有相同的 SecurityManager 檢查。否則,還原序列化該類別後,就會略過安全檢查。SecurityManager 檢查,但在 readObject() 與 readObjectNoData() 方式中則沒有此檢查。
public class BadSecurityCheck implements Serializable {
private int id;
public BadSecurityCheck() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new BadPermission("BadSecurityCheck"));
}
id = 1;
}
public void readObject(ObjectInputStream in) throws ClassNotFoundException, IOException {
in.defaultReadObject();
}
public void readObjectNoData(ObjectInputStream in) throws ClassNotFoundException, IOException {
in.defaultReadObject();
}
}