CWE-608 Structs：动作表单类中存在非私有域

Struts: Non-private Field in ActionForm Class

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: unkown

基本描述

An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 699 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 668 cwe_View_ID: 1000 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}

常见的影响

可能的缓解方案

Implementation

策略:

Make all fields private. Use getter to get the value of the field. Setter should be used only by the framework; setting an action form field from other actions is bad practice and should be avoided.

示例代码

例

In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for a online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.

bad Java

However, within the RegistrationForm the member variables for the registration form input data are declared public not private. All member variables within a Struts framework ActionForm class must be declared private to prevent the member variables from being modified without using the getter and setter methods. The following example shows the member variables being declared private and getter and setter methods declared for accessing the member variables.

good Java

分类映射

文章来源于互联网:scap中文网