Allon Mureinik has submitted this change and it was merged. Change subject: core: TimeoutBase: Prevent updating mutable Date ......................................................................
core: TimeoutBase: Prevent updating mutable Date TimeoutBase contains a java.util.Date member, mEndTime. The value of this member can be passed into (by setEndTime(Date)) and out of (by getEndTime()) the class. Since java.util.Date is a mutable class, the end time of the TimeoutBase may be manipulated, maliciously or mistakenly, by someone holding a reference to that object. This patch removes this vulnerability by replacing this member by a simple primitive long, representing the unix time (System.currTimeMillis()), since the Date semantics (e.g., DST) isn't used anyway. Change-Id: Icd77e518369fa25bfe684d249d12e0f8e2bb1a0f Signed-off-by: Allon Mureinik <[email protected]> --- M backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/AuditLogDirector.java M backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/TimeoutBase.java M backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/TimeoutBaseTest.java 3 files changed, 12 insertions(+), 16 deletions(-) Approvals: Allon Mureinik: Verified; Looks good to me, approved -- To view, visit http://gerrit.ovirt.org/11897 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: Icd77e518369fa25bfe684d249d12e0f8e2bb1a0f Gerrit-PatchSet: 7 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Allon Mureinik <[email protected]> Gerrit-Reviewer: Alissa Bonas <[email protected]> Gerrit-Reviewer: Allon Mureinik <[email protected]> Gerrit-Reviewer: Daniel Erez <[email protected]> Gerrit-Reviewer: Liron Aravot <[email protected]> Gerrit-Reviewer: Maor Lipchuk <[email protected]> Gerrit-Reviewer: Michael Kublin <[email protected]> Gerrit-Reviewer: Tal Nisan <[email protected]> Gerrit-Reviewer: Vered Volansky <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
