Security Hole in One of the Book's Samples

I found a security hole with the StartupFilter sample in chapter 11 of my book, so I thought I would alert you once I had it fixed.

I don't think the impact of this bug will be big, because after the filter runs its really obvious that the web interface is not right... so most people probably disable the component when they notice this issue.

And yet somehow I and 3 technical reviewers missed it.

*sigh*

Anyway, you should download the latest version of the sample code if you want to use that sample.

And if everybody could whip out the white-out, please change page 236 from using this DataBinder constructor:

DataBinder serviceBinder = new DataBinder();
serviceBinder.setEnvironment(SharedObjects.getEnvironment());

To this:

DataBinder serviceBinder = new DataBinder(
    SharedObjects.getEnvironment());

If you did it the old way, then any environment value you changed would be reflected in all future DataBinders. As you can image, that would cause really weird things to happen on the web interface, and it can sometimes be a security hole.

This and any other eratta should be fixed in the next revision of the book.

Recent comments