Change in ovirt-engine[master]: core: TimeoutBase: Prevent updating mutable Date

[amureini at redhat.com]

Allon Mureinik has submitted this change and it was merged.

Change subject: core: TimeoutBase: Prevent updating mutable Date
......................................................................


core: TimeoutBase: Prevent updating mutable Date

TimeoutBase contains a java.util.Date member, mEndTime. The value of
this member can be passed into (by setEndTime(Date)) and out of (by
getEndTime()) the class. Since java.util.Date is a mutable class, the
end time of the TimeoutBase may be manipulated, maliciously or
mistakenly, by someone holding a reference to that object.

This patch removes this vulnerability by replacing this member by a
simple primitive long, representing the unix time
(System.currTimeMillis()), since the Date semantics (e.g., DST) isn't
used anyway.

Change-Id: Icd77e518369fa25bfe684d249d12e0f8e2bb1a0f
Signed-off-by: Allon Mureinik <amureini at redhat.com>
---
M backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/AuditLogDirector.java
M backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/TimeoutBase.java
M backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/TimeoutBaseTest.java
3 files changed, 12 insertions(+), 16 deletions(-)

Approvals:
  Allon Mureinik: Verified; Looks good to me, approved


--
To view, visit http://gerrit.ovirt.org/11897
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Icd77e518369fa25bfe684d249d12e0f8e2bb1a0f
Gerrit-PatchSet: 7
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Allon Mureinik <amureini at redhat.com>
Gerrit-Reviewer: Alissa Bonas <abonas at redhat.com>
Gerrit-Reviewer: Allon Mureinik <amureini at redhat.com>
Gerrit-Reviewer: Daniel Erez <derez at redhat.com>
Gerrit-Reviewer: Liron Aravot <laravot at redhat.com>
Gerrit-Reviewer: Maor Lipchuk <mlipchuk at redhat.com>
Gerrit-Reviewer: Michael Kublin <mkublin at redhat.com>
Gerrit-Reviewer: Tal Nisan <tnisan at redhat.com>
Gerrit-Reviewer: Vered Volansky <vvolansk at redhat.com>