[Engine-patches] Change in ovirt-engine[master]: core: TimeoutBase:Prevent updating mutable Date

Mon, 11 Feb 2013 00:33:06 -0800 

Allon Mureinik has uploaded a new change for review.

Change subject: core: TimeoutBase:Prevent updating mutable Date
......................................................................

core: TimeoutBase:Prevent updating mutable Date

TimeoutBase contains a java.util.Date member, mEndTime. The value of
this member can be passed in (by setEndTime(Date)) and out (by
getEndTime()) of the class. Since java.util.Date is a mutable class, the
end time of the TimeoutBase may be manipulated, maliciously or
mistakenly, by someone holding a reference to that object.

This patch removes this vulnerability by cloning said Date object in the
said methods.

Change-Id: Icd77e518369fa25bfe684d249d12e0f8e2bb1a0f
Signed-off-by: Allon Mureinik <amure...@redhat.com>
---
M 
backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/TimeoutBase.java
1 file changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/97/11897/1

diff --git 
a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/TimeoutBase.java
 
b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/TimeoutBase.java
index 4dc8928..41f671d 100644
--- 
a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/TimeoutBase.java
+++ 
b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/TimeoutBase.java
@@ -21,12 +21,12 @@
     }
 
     public Date getEndTime() {
-        return mEndTime;
+        return (Date) mEndTime.clone();
     }
 
     public void setEndTime(Date value) {
         mUseTimeout = true;
-        mEndTime = value;
+        mEndTime = (Date) value.clone();
     }
 
     private String timeoutObjectId = "";


--
To view, visit http://gerrit.ovirt.org/11897
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Icd77e518369fa25bfe684d249d12e0f8e2bb1a0f
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Allon Mureinik <amure...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to