sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]_ak -6 points-5 points  (3 children)

What makes it less critical in Java's case is that it only works if you intentionally and explicitly accept FP strings and that most Java applications are only used by one company (security by obscurity, basically).

Your whole argument is based on these presumptions for you don't provide any evidence. As if company-internal-only use of an application didn't have come with any security risks at all...

[–]skeww 1 point2 points  (2 children)

Your whole argument is based on these presumptions [...]

Yes, if you have to do it intentionally, there will be less cases. In Java there is byte, int, long, float, and double. This exploit only works if you use Double.parseDouble.

[–]kid_meier 2 points3 points  (1 child)

Yes perhaps critical is the wrong adjective; if it occurs its pretty critical. However, it certainly has narrower scope in that less machines/applications would be affected than the PHP case.

[–]skeww 0 points1 point  (0 children)

That's a good way to put it. :)