lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 13 Mar 2011 08:20:44 +0530
From: Phani <pklanka@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: java.text.MessageFormat - thread safety - a vital
	question

Hello Forum

This question is especially on the function *"public static String
format(String pattern, Object... arguments)"* in Message format class. No
information is given in Javadoc for this function regarding thread safety.
However a generic message for the entire class is given in the javadoc
stating that the - *"Message formats are not synchronized. It is recommended
to create separate format instances for each thread. If multiple threads
access a format concurrently, it must be synchronized externally."*

It is for this reason I believe the code scanning tools like Fortify catch
this function as having lack of thread safety for web applications.

However, if you look at the decompiled source of the function - no shared
object is being accessed. The decompiled source of this function is below -

*public static String format(String pattern, Object ... arguments) {*
*MessageFormat temp = new MessageFormat(pattern);*
*return temp.format(arguments);*
*}*

Here *no shared object is being accessed*, a new object is created within
the static method and the same is used for formatting. This decompiled
version indicates that this method is actually thread safe (since no shared
object is present and each method stack in each thread will have its own
copy of MessageFormat. No sharing happens).

Could you tell us if this is the case in the current scenario. This
particular format method is actually thread safe when compared to other
format methods.

regards
Phani Lanka

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ