Talk:Uncaught exception

From OWASP
Revision as of 18:51, 31 March 2008 by Bpappin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Although there is a valid security related issue here. I think this one may be treading on dangerous ground. I have see far worse code that tries to catch all it's exception than I have code that doesn't.

The key (imo), both in ability to maintain the code and to catch security problems is *not* to catch every darn thing right at its source. You want to make sure that an exception thrown causes the application to "fail-fast" if it is not explicitly handled.

This article would lead me to think that I should be catching everything at its source whether I do anything with it or not, which exactly what you don't want (it's a security vulnerability in its own right).

Reality is that not every exception will be caught and you should never assume there is not some problem in the code (although it can be reduced using TDD)... make sure the code throws it's exception up so that the application can log it and fail-fast when that happens.

I think this article needs to work to make clear the point.