commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: [ALL] Update to commons security page
Date Tue, 15 Oct 2019 10:47:27 GMT
On Tue, 15 Oct 2019 at 11:03, Claude Warren <claude@xenei.com> wrote:
>
> If the style is to rely on external code to do input validation, then I
> think that should be in the javadocs as well as on the page you mention.

Perhaps I phrased it wrong.

What I meant was that the code generally does what it is told to do.

e.g. a delete_tree(path) method is not going to prevent you from using path='/'

Commons cannot in general validate such parameters.

> Claude
>
> On Tue, Oct 15, 2019 at 10:59 AM sebb <sebbaz@gmail.com> wrote:
>
> > It might be useful to add a note to the commons security page about
> > automated vulnerability checkers.
> >
> > These tend to produce a lot of false positives and may report items
> > which could never be a security issue (e.g. poor code style, dead
> > code).
> >
> > Even if the issue is potentially a vulnerability, it often depends on
> > the context.
> > This is particularly true of Commons - the code generally relies on
> > the application to do validation of input parameters.
> >
> > Thoughts?
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
> >
>
> --
> I like: Like Like - The likeliest place on the web
> <http://like-like.xenei.com>
> LinkedIn: http://www.linkedin.com/in/claudewarren

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message