Allon Mureinik has submitted this change and it was merged. Change subject: core: TimeoutBase: Prevent updating mutable Date ...................................................................... core: TimeoutBase: Prevent updating mutable Date TimeoutBase contains a java.util.Date member, mEndTime. The value of this member can be passed into (by setEndTime(Date)) and out of (by getEndTime()) the class. Since java.util.Date is a mutable class, the end time of the TimeoutBase may be manipulated, maliciously or mistakenly, by someone holding a reference to that object. This patch removes this vulnerability by replacing this member by a simple primitive long, representing the unix time (System.currTimeMillis()), since the Date semantics (e.g., DST) isn't used anyway. Change-Id: Icd77e518369fa25bfe684d249d12e0f8e2bb1a0f Signed-off-by: Allon Mureinik <amureini@redhat.com> --- M backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/AuditLogDirector.java M backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/TimeoutBase.java M backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dal/dbbroker/auditloghandling/TimeoutBaseTest.java 3 files changed, 12 insertions(+), 16 deletions(-) Approvals: Allon Mureinik: Verified; Looks good to me, approved -- To view, visit http://gerrit.ovirt.org/11897 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: Icd77e518369fa25bfe684d249d12e0f8e2bb1a0f Gerrit-PatchSet: 7 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Allon Mureinik <amureini@redhat.com> Gerrit-Reviewer: Alissa Bonas <abonas@redhat.com> Gerrit-Reviewer: Allon Mureinik <amureini@redhat.com> Gerrit-Reviewer: Daniel Erez <derez@redhat.com> Gerrit-Reviewer: Liron Aravot <laravot@redhat.com> Gerrit-Reviewer: Maor Lipchuk <mlipchuk@redhat.com> Gerrit-Reviewer: Michael Kublin <mkublin@redhat.com> Gerrit-Reviewer: Tal Nisan <tnisan@redhat.com> Gerrit-Reviewer: Vered Volansky <vvolansk@redhat.com>