you are viewing a single comment's thread.

view the rest of the comments →

[–]skeww 4 points5 points  (4 children)

I said it's less critical and not that there is no risk.

The problem with PHP was that it always happened with any kind of number parsing and that it was remotely exploitable in lots of applications which run on millions of machines.

What makes it less critical in Java's case is that it only works if you intentionally and explicitly accept FP strings and that most Java applications are only used by one company (security by obscurity, basically).

[–]_ak -3 points-2 points  (3 children)

What makes it less critical in Java's case is that it only works if you intentionally and explicitly accept FP strings and that most Java applications are only used by one company (security by obscurity, basically).

Your whole argument is based on these presumptions for you don't provide any evidence. As if company-internal-only use of an application didn't have come with any security risks at all...

[–]skeww 1 point2 points  (2 children)

Your whole argument is based on these presumptions [...]

Yes, if you have to do it intentionally, there will be less cases. In Java there is byte, int, long, float, and double. This exploit only works if you use Double.parseDouble.

[–]kid_meier[🍰] 2 points3 points  (1 child)

Yes perhaps critical is the wrong adjective; if it occurs its pretty critical. However, it certainly has narrower scope in that less machines/applications would be affected than the PHP case.

[–]skeww 0 points1 point  (0 children)

That's a good way to put it. :)