Loading...

Type: Bug
Resolution: Not an Issue
Priority: P4
Fix Version/s: None
Affects Version/s: 1.4.0
Component/s: docs
Labels:
- webbug

Subcomponent:
guides
CPU:

x86
OS:

windows_2000

Name: nt126004 Date: 11/27/2001

java version "1.4.0-beta3"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0-beta3-b84)
Java HotSpot(TM) Client VM (build 1.4.0-beta3-b84, mixed mode)

Created a regex to search and replace some input. It uses
matcher.appendReplacement() in a while loop. When it encounters an unescaped
'$' it blows up with:

Exception in thread "main" java.lang.IllegalArgumentException: Illegal group ref
erence
        at java.util.regex.Matcher.appendReplacement(Matcher.java:546)
        at jguru.PreJdk14Processor.main(PreJdk14Processor.java:61)

I have read the javadoc for appendReplacement() and saw the comment about escaping '$'
Could you please add something extra to this comment to indicate that it *will* throw
an IllegalArgumentExeption if a literal '$' is not escaped as I have
just spent quite a bit of unnecessary time delving around the code. ;-)

/*
* PreJdk14Processor.java
*
* Created on 05 November 2001, 14:08
*/

package jguru;

import java.io.*;
import java.util.regex.*;
/**
*
* @author Ewan_h
*/
public class Jdk14Processor {



    /**
     * @param args the command line arguments
     */
    public static void main(String args[]) throws Exception {
        FileInputStream fis = new FileInputStream(args[0]);

        String s = "";
        byte [] b = new byte[1024];
        int n = 0;
        while ((n = fis.read(b)) != -1) {
            s += new String(b, 0, n);
        }
        fis.close();

        //String s = "Where can I get help with Struts?\r\nLocation:
http://www.jguru.com/faq/view.jsp?EID=471930\r\nCreated: Aug 8, 2001\r\nAuthor:
Ted Husted (http://www.jguru.com/guru/viewbio.jsp?EID=462042)\r\n\r\nSome
content here";
        /* This pattern matches for:
            Where can I get help with Struts?
            Location: http://www.jguru.com/faq/view.jsp?EID=471930
            Created: Aug 8, 2001
            Author: Ted Husted (http://www.jguru.com/guru/viewbio.jsp?
EID=462042)

            Some content here
         */
        Pattern p = Pattern.compile("(.*\r\n)(Location:.*\r\n)(Created:.*\r\n)
(Author:.*\r\n)(\r\n.*)");
        StringBuffer out = new StringBuffer();

        Matcher m = p.matcher(s);

        try {
            boolean result = m.find();
            while(result) {
                String replacer = "*" + m.group(1) + m.group(3) + m.group(5);
                System.out.println(replacer);
                m.appendReplacement(out, replacer);
                result = m.find();
            }
            m.appendTail(out);

            System.out.println(out);
        } finally {
            FileOutputStream fout = new FileOutputStream(args[1]);
            fout.write(out.toString().getBytes());
            fout.close();
        }
    }
}

Sample text data file that includes two matches that will cause an error
included below @@@@@@@

@@@@@@@
What are the security ramifications of using the Externalizable interface?
Location: http://www.jguru.com/faq/view.jsp?EID=2597
Created: Dec 14, 1999 Modified: 1999-12-22 23:58:13.386
Author: Govind Seshadri (http://www.jguru.com/guru/viewbio.jsp?EID=14)

The methods within the Externalizable interface, readExternal() and
writeExternal() have public scope. This implies some client object could
potentially bypass the Java sandbox mechanisms and overwrite or gain access to
the state of an externalizable object.
As a general rule of thumb, a class should implement the Externalizable
interface only if the object contains nonsensistive information.

  Comments and alternative answers

No security difference in using Externalizable or Serializable
Author: Jesper Nielsen (http://www.jguru.com/guru/viewbio.jsp?EID=458606), Jul
19, 2001
I disagree with Govind completly. If someone "could ptentially" go around the
sandbox as you put it and call the pulic methods on an Externalizable Java
object he/she can just as well construct an ObjectOutputStream and serialize
your Seriaizable object.
He/She can also without any poroblems replace a few lines of code in the
ObjectOutputStream and gain access to the attributes within a Serializable
object. Serializable objects is just as "insecure" as Externalizable Objects...

This have been shown again and again. The security should not be based on this,
and there is no difference between the two interfaces (form a security
standpoint)... Are we looking at performance and a few other things
Externilizable is much better though!

Which class is the system default ClassLoader?
Location: http://www.jguru.com/faq/view.jsp?EID=4318
Created: Jan 7, 2000
Author: Lennart Jorelid (http://www.jguru.com/guru/viewbio.jsp?EID=15)

The default ClassLoader is sun.misc.Launcher$AppClassLoader (which is fairly
irrelevant in itself) which extends java.net.URLClassLoader. The reverse
(superclasses below subclasses) inheritance map of the default ClassLoader:

sun.misc.Launcher$AppClassLoader
  |
  +-- java.net.URLClassLoader
    |
    +-- java.security.SecureClassLoader
      |
      +-- java.lang.ClassLoader
        |
        +-- java.lang.Object

Thus, to examine the security capabilities of the default ClassLoader, check
JavaDoc for the java.security.SecureClassLoader and java.net.URLClassLoader.

Which file, in which directory, contains a list of installed Java security
providers for Sun's JREs?
Location: http://www.jguru.com/faq/view.jsp?EID=440234
Created: Jun 16, 2001
Author: Qunli Qiang (http://www.jguru.com/guru/viewbio.jsp?EID=409012) Question
originally posed by Sandeep Desai (http://www.jguru.com/guru/viewbio.jsp?
EID=123976

They are in the file $JAVA_HOME/jre/lib/security/java.security.

Looks like:
#######################
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.crypto.provider.SunJCE
security.provider.3=com.sun.rsajca.Provider
########################

@@@@@ end

3. Stdout and error msg:

C:\temp\JDK14T~1\src\main>java -cp .; jguru.PreJdk14Processor sectest.txt sectes
t2.txt
*What are the security ramifications of using the Externalizable interface?
Created: Dec 14, 1999 Modified: 1999-12-22 23:58:13.386

The methods within the Externalizable interface, readExternal() and writeExterna
l() have public scope. This implies some client object could potentially bypass
the Java sandbox mechanisms and overwrite or gain access to the state of an exte
rnalizable object.
*Which class is the system default ClassLoader?
Created: Jan 7, 2000

The default ClassLoader is sun.misc.Launcher$AppClassLoader (which is fairly irr
elevant in itself) which extends java.net.URLClassLoader. The reverse (supercla
sses below subclasses) inheritance map of the default ClassLoader:
Exception in thread "main" java.lang.IllegalArgumentException: Illegal group ref
erence
        at java.util.regex.Matcher.appendReplacement(Matcher.java:546)
        at jguru.PreJdk14Processor.main(PreJdk14Processor.java:61)
(Review ID: 135273)
======================================================================

Details

Description

Attachments

Activity

People

Dates