How does Java strings being immutable increase security?

by

A very common practice in writing class libraries is storing the parameters passed into your API, say, in a constructor, like this:

public class MyApi {
    final String myUrl;
    public MyApi(String urlString) {
        // Verify that urlString points to an approved server
        if (!checkApprovedUrl(urlString)) throw new IllegalArgumentException();
        myUrl = urlString;
    }
}

Were String mutable, this would lead to a subtle exploit: an attacker would pass a good URL, wait for a few microseconds, and then set the URL to point to an attack site.

Since storing without copying is a reasonably common practice, and because strings are among the most commonly used data types, leaving strings mutable would open up many APIs that are not written yet open to a serious security problem. Making strings immutable closes this particular security hole for all APIs, including the ones that are not written yet.

More Related Contents:

  1. Why is char[] preferred over String for passwords?
  2. Create a mutable java.lang.String
  3. Need some advice on split() method in Java [closed]
  4. StringBuilder vs String concatenation in toString() in Java
  5. Check string for palindrome
  6. Allowing Java to use an untrusted certificate for SSL/HTTPS connection
  7. Difference between java.util.Random and java.security.SecureRandom
  8. length and length() in Java
  9. How to format a Java string with leading zero?
  10. Is String Literal Pool a collection of references to the String Object, Or a collection of Objects
  11. Closing a Scanner throws java.util.NoSuchElementException
  12. Which loop has better performance? Why?
  13. Is conversion to String using (“” + ) bad practice?
  14. Convert binary string to byte array
  15. What is the best way to extract the first word from a string in Java?
  16. How to replace ” \ ” with ” \\ ” in java
  17. How can I construct a java.security.PublicKey object from a base64 encoded string?
  18. Print out elements from an Array with a Comma between the elements
  19. Java split is eating my characters
  20. Efficient way to compare version strings in Java [duplicate]
  21. Case insensitive matching in Java switch-case statement
  22. How many Java string objects created in the code String s=”abc”+”xyz”;?
  23. How do I split strings in J2ME?
  24. Extract all string from a java project
  25. Difference between String#equals and String#contentEquals methods
  26. Java: Get last element after split
  27. In Java, how to append a string more efficiently? [duplicate]
  28. Why new keyword not needed for String
  29. Parse Date from String in this format : dd/MM/yyyy [to dd/MM/yyyy]
  30. How many Java objects are generated by this – new String(“abcd”)

Leave a Comment