Talk:Uncaught exception

From OWASP
Jump to: navigation, search

Although there is a valid security related issue here. I think this one may be treading on dangerous ground. I have see far worse code that tries to catch all it's exception than I have code that doesn't.

The key (imo), both in ability to maintain the code and to catch security problems is *not* to catch every darn thing right at its source. You want to make sure that an exception thrown causes the application to "fail-fast" if it is not explicitly handled.

This article would lead me to think that I should be catching everything at its source whether I do anything with it or not, which exactly what you don't want (it's a security vulnerability in its own right).

Reality is that not every exception will be caught and you should never assume there is not some problem in the code (although it can be reduced using TDD)... make sure the code throws it's exception up so that the application can log it and fail-fast when that happens.

I think this article needs to work to make clear the point.


I absolutely agree with this point. I think perhaps catching exceptions
and doing nothing (without an explanatory comment) is probably not a
good idea.  But simply not catching exceptions is not a security problem.
That's the whole point of an exception mechanism. Would you be willing to
update the article?  Jeff Williams 11:02, 1 April 2008 (EDT)