Which kind of webapps can realistically be affected by the floating bug?
There\'s an easy way to totally lock a lot of JVM:
class runhang {
public static void main(String[] args) {
System.out.println(\"Test:\");
double d = Dou
-
All versions of Tomcat have been patched and released to handle the "Accept-Language" condition.
Oracle has released a hot fix which can be found here:
http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html
The hotfix will work for java 1.4, 1.5, and 1.6.
讨论(0) -
I understand that this number is only one in a range of numbers that would crash applications but just couldn't resist commenting, check the last 4 digits. 2012, it speaks volumes of the number, the ancient predicted doomsday, and our modern applications are pointing to a crashing threshold unless fixed :-)
讨论(0) -
Hate to state the obvious, but all application that lets the user submits the string "2.2250738585072011e-308", and calls parse double on can "realistically" be affected.
讨论(0) -
Anything where you let the user enter a floating point number and do a comparison or calculation on it should be suspect. I would say a payment form, loan calculator, and bidding form would be the most common. All it would take is one little calculator utility in your entire application to be able to hang the web server by repeated hits.
讨论(0) -
Many web servers parse part of the http headers using Double.parse, so we are dealing with infrastructure here (in addition to any problems with applications that run in the container). The comments of the Exploring Binary blog you link to have the following as an example:
GET / HTTP/1.1 Host: myhost Connection: keep-alive Accept-Language: en-us;q=2.2250738585072012e-308If the servlet that the request is going against makes a call to any of the localization APIs (which would then attempt to parse the language header), the above will bring the server down.
So yes, this is a very big problem. The attack surface is quite large, and the consequences quite high.
讨论(0)
加载中...
- 热议问题