Secure Coding mailing list archives

Re: Java DOS

From: "Wall, Kevin" <Kevin.Wall () qwest com>
Date: Tue, 15 Feb 2011 07:20:25 -0600

On Feb 15, 2011, at 12:06 AM, Chris Schmidt <chrisisbeef () gmail com> wrote:

On Feb 14, 2011, at 8:57 AM, "Wall, Kevin" <Kevin.Wall () qwest com> wrote:

[snip[

So on a somewhat related note, does anyone have any idea as to how common it is for
application developers to call ServletRequest.getLocale() or ServletRequest.getLocales()
for Tomcat applications? Just curious. I'm sure it's a lot more common than
developers using double-precision floating point in their applications (with
the possible exception within the scientific computing community).


I would assume just about any app with a shopping cart does. This is of course compounded
by libraries like struts and spring mvc that autobind your form variables for you. Use a form with
a double in it and your boned.


Good point about things like Spring and Struts. Hadn't thought of those cases. OTOH, if
I were implementing a shopping cart, I'd write a special Currency class and there
probably use Float.parseFloat() rather than Double.parseDouble() [unless I were a bank
or otherwise had to compute interest], and hopefully Float does not have similar issues.

-kevin
--
Kevin W. Wall   614.215.4788   Qwest Risk Management / Information Security Team
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein, co-creator of MIME
________________________________________
From: Chris Schmidt [chrisisbeef () gmail com]
Sent: Tuesday, February 15, 2011 12:06 AM
To: Wall, Kevin
Cc: Jim Manico; Rafal Los; sc-l () securecoding org
Subject: Re: [SC-L] Java DOS



This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Current thread:

Java DOS Brian Chess (Feb 12)
- Re: Java DOS James Manico (Feb 12)
- Re: Java DOS Jeffrey Walton (Feb 13)
- <Possible follow-ups>
- Re: Java DOS Rafal Los (Feb 13)
  - Re: Java DOS Jim Manico (Feb 13)
    - Re: Java DOS Wall, Kevin (Feb 14)
    - Re: Java DOS Chris Schmidt (Feb 15)
    - Re: Java DOS Wall, Kevin (Feb 15)
    - Re: Java DOS Wall, Kevin (Feb 15)
    - Re: Java DOS Shanahan Pete (Feb 15)
    - Re: Java DOS Chris Schmidt (Feb 15)
    - Re: Java DOS Shanahan Pete (Feb 15)
    - Re: Java DOS Chris Schmidt (Feb 15)
    - Re: Java DOS Kevin W. Wall (Feb 16)
    - Re: Java DOS Jim Manico (Feb 15)
    - Re: Java DOS Kevin W. Wall (Feb 16)