Difference between revisions of "Talk:Uncaught exception"

From OWASP
Jump to: navigation, search
(New page: Although there is a valid security related issue here. I think this one may be treading on dangerous ground. I have see far worse code that tries to catch all it's exception than I have co...)
 
 
Line 9: Line 9:
  
 
I think this article needs to work to make clear the point.
 
I think this article needs to work to make clear the point.
 +
 +
 +
I absolutely agree with this point. I think perhaps catching exceptions
 +
and doing nothing (without an explanatory comment) is probably not a
 +
good idea.  But simply not catching exceptions is not a security problem.
 +
That's the whole point of an exception mechanism. Would you be willing to
 +
update the article?  [[User:Jeff Williams|Jeff Williams]] 11:02, 1 April 2008 (EDT)

Latest revision as of 10:02, 1 April 2008

Although there is a valid security related issue here. I think this one may be treading on dangerous ground. I have see far worse code that tries to catch all it's exception than I have code that doesn't.

The key (imo), both in ability to maintain the code and to catch security problems is *not* to catch every darn thing right at its source. You want to make sure that an exception thrown causes the application to "fail-fast" if it is not explicitly handled.

This article would lead me to think that I should be catching everything at its source whether I do anything with it or not, which exactly what you don't want (it's a security vulnerability in its own right).

Reality is that not every exception will be caught and you should never assume there is not some problem in the code (although it can be reduced using TDD)... make sure the code throws it's exception up so that the application can log it and fail-fast when that happens.

I think this article needs to work to make clear the point.


I absolutely agree with this point. I think perhaps catching exceptions
and doing nothing (without an explanatory comment) is probably not a
good idea.  But simply not catching exceptions is not a security problem.
That's the whole point of an exception mechanism. Would you be willing to
update the article?  Jeff Williams 11:02, 1 April 2008 (EDT)