Apple & Java
I’ve been reading a bit more on using Java for web content. I found an interesting link from Apple on using Tomcat with Mac OS X. It’s a nice article, plenty of code to chew on and mull over. What is interesting though is that very little security was put into the examples.
Since this is just an example application, we’re only including the simplest possible security. Anyone who goes to /blog/add_data.jsp and enters a password which is stored in the passwords table will be allowed to add an entry to the log.
There’s a bigger problem than lacking a permissions model and access controls in the web log example. There’s a huge SQL injection vector in the code because there is no input sanitizing. The statement is created from concatenating strings that are directly received from user input. On the one hand, it’s disappointing to see that even in example code, security isn’t built in and explained from the start. On the other, the license that the code is released under prevents people from fixing the problem and still attributing it to Apple in a meaningful way.
// Copyright 2001 by Apple Computer, Inc., All Rights Reserved. // // You may incorporate this Apple sample code into your own code // without restriction. This Apple sample code has been provided "AS IS" // and the responsibility for its operation is yours. You may redistribute // this code, but you are not permitted to redistribute it as // "Apple sample code" after having made changes.
Fine. I’ll take all the credit.
