CWE

Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types
2021 CWE最重要的硬件弱点
CWE前25个最危险的弱点
Home>CWEList>CWE- Individual Dictionary Definition (4.10)
ID

CWE-597: Use of Wrong Operator in String Comparison

弱点ID:597
Abstraction:Variant
结构:简单的
View customized information:
+Description
The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead.
+Extended Description
In Java, using == or != to compare two strings for equality actually compares two objects for equality rather than their string values for equality. Chances are good that the two references will never be equal. While this weakness often only affects program correctness, if the equality is used for a security decision, the unintended comparison result could be leveraged to affect program security.
+Relationships
Section Help该表显示了与该弱点相关的弱点和高级类别。这些关系定义为childof,parentof,ementof,并深入了解可能存在于较高和较低抽象水平的类似项目。此外,定义了诸如Peerof和Canalsobe之类的关系,以显示用户可能想要探索的类似弱点。
+Relevant to the view "Research Concepts" (CWE-1000)
自然 Type ID 姓名
Childof BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 480 使用不正确的操作员
Childof Variant变体 - 与某种类型的产品相关的弱点,通常涉及特定的语言或技术。比基本弱点更具体。变体级别的弱点通常以以下维度的3到5来描述问题:行为,财产,技术,语言和资源。 595 比较对象引用而不是对象内容
Section Help该表显示了与该弱点相关的弱点和高级类别。这些关系定义为childof,parentof,ementof,并深入了解可能存在于较高和较低抽象水平的类似项目。此外,定义了诸如Peerof和Canalsobe之类的关系,以显示用户可能想要探索的类似弱点。
+Relevant to the view "Software Development" (CWE-699)
自然 Type ID 姓名
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 133 字符串错误
Section Help该表显示了与该弱点相关的弱点和高级类别。这些关系定义为childof,parentof,ementof,并深入了解可能存在于较高和较低抽象水平的类似项目。此外,定义了诸如Peerof和Canalsobe之类的关系,以显示用户可能想要探索的类似弱点。
+Relevant to the view "CISQ Quality Measures (2020)" (CWE-1305)
自然 Type ID 姓名
Childof Variant变体 - 与某种类型的产品相关的弱点,通常涉及特定的语言或技术。比基本弱点更具体。变体级别的弱点通常以以下维度的3到5来描述问题:行为,财产,技术,语言和资源。 595 比较对象引用而不是对象内容
+介绍模式
Section Help引言的不同模式提供了有关如何以及何时引入这种弱点的信息。该阶段识别可能发生介绍的生命周期中的一个点,而音符提供了与给定阶段中引言有关的典型情况。
Phase 笔记
Implementation
+常见后果
Section Help该表指定与弱点相关的不同个人后果。该范围确定了违反的应用程序安全区域,而影响描述了如果对手成功利用这一弱点,就会产生负面的技术影响。其可能性提供了有关预期相对于列表中其他后果的特定后果的可能性的信息。例如,可能会利用弱点来实现一定的影响,但很可能会利用它来实现不同的影响。
Scope Impact 可能性
其他

技术影响:其他
+Demonstrative Examples

Example 1

In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent.

(bad code)
Example Language:爪哇
String str1 = new String("Hello");
字符串str2 = new String(“ Hello”);
if (str1 == str2) {
System.out.println("str1 == str2");
}

但是,由于使用“ ==”操作员比较字符串,因此不会执行IF语句。对于Java对象,例如字符串对象,“ ==”操作员比较对象引用,而不是对象值。尽管上面的两个字符串对象包含相同的字符串值,但它们是指不同的对象引用,因此System.out.println语句将不会执行。要比较对象值,可以修改以前的代码以使用等值方法:

(good code)
if (str1.equals(str2)) {
System.out.println("str1 equals str2");
}

Example 2

In the example below, three JavaScript variables are declared and initialized with the same values. Note that JavaScript will change a value between numeric and string as needed, which is the reason an integer is included with the strings. An if statement is used to determine whether the values are the same.

(bad code)
Example Language:爪哇Script

(i === s1) is FALSE


(s4 === i)是false


(s4 === s1) is FALSE



var i = 65;
var s1 ='65';
var s4 = new String('65');

if (i === s1)
{
document.getElementById(“ ieq3s1”)。innerhtml =“(i === s1)为true”;
}

如果(s4 === i)
{
document.getElementById(“ s4eq3i”)。innerhtml =“(s4 === i)为true”;
}

if (s4 === s1)
{
document.getElementById(“ s4eq3s1”)。innerhtml =“(s4 === s1)为true”;
}

但是,由于“ ===”比较了变量和值的类型,因此不会执行IF语句的主体。由于第一个比较的类型是数字和字符串,因此失败。第二个类型是int和参考,因此该类型也失败了。第三个类型是参考和字符串,因此也会失败。

尽管上面的变量包含相同的值,但它们包含在不同类型中,因此文档。getElementById...在任何情况下都不会执行语句。

为了比较对象值,修改了上一个代码并在下面显示以用于值比较的“ ==”,因此本示例中的比较执行HTML语句:

(good code)
Example Language:爪哇Script

(i == s1)是false


(s4 == i)是false


(s4 == s1) is FALSE



var i = 65;
var s1 ='65';
var s4 = new String('65');

if (i == s1)
{
document.getElementById("ieq2s1").innerHTML = "(i == s1) is TRUE";
}

如果(s4 == i)
{
document.getElementById("s4eq2i").innerHTML = "(s4 == i) is TRUE";
}

如果(S4 == S1)
{
document.getElementById("s4eq2s1").innerHTML = "(s4 == s1) is TRUE";
}

Example 3

In the example below, two PHP variables are declared and initialized with the same numbers - one as a string, the other as an integer. Note that PHP will change the string value to a number for a comparison. An if statement is used to determine whether the values are the same.

(bad code)
Example Language:PHP
var $i = 65;
var $ s1 =“ 65”;

if ($i === $s1)
{
echo'($ i === $ s1)是正确的'。“ \ n”;
}
else
{
echo'($ i === $ s1)是false'。“ \ n”;
}

但是,由于“ ===”比较了变量和值的类型,因此不会执行IF语句的主体。由于第一个比较的类型是数字和字符串,因此失败。

While the variables above contain the same values, they are contained in different types, so the TRUE portion of the if statement will not be executed.

To compare object values, the previous code is modified and shown below to use the "==" for value comparison (string converted to number) so the comparison in this example executes the TRUE statement:

(good code)
Example Language:PHP
var $i = 65;
var $ s1 =“ 65”;

if ($i == $s1)
{
echo'($ i == $ s1)是正确的'。“ \ n”;
}
else
{
echo '($i == $s1) is FALSE'. "\n";
}
+Potential Mitigations

Phase: Implementation

Within Java, use .equals() to compare string values.

在JavaScript中,使用==比较字符串值。

Within PHP, use == to compare a numeric value to a string value. (PHP converts the string to a number.)

Effectiveness: High
+Memberships
Section HelpThis MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.
自然 Type ID 姓名
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 847 Java(2011)第4章的CERT ORACLE SECURE编码标准 - 表达式(EXP)
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 998 SFP Secondary Cluster: Glitch in Computation
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1136 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 02. Expressions (EXP)
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1181 SEI CERT PERL编码标准- Guidelines 03. Expressions (EXP)
+Taxonomy Mappings
Mapped Taxonomy Name Node ID Fit Mapped Node Name
Java(2011)的CERT ORACLE SECURE编码标准 EXP03-J Do not use the equality operators when comparing values of boxed primitives
Java(2011)的CERT ORACLE SECURE编码标准 EXP03-J Do not use the equality operators when comparing values of boxed primitives
SEI CERT PERL编码标准 EXP35-PL CWE更具体 使用正确的操作员类型比较值
软件故障模式 SFP1 计算中的故障
+References
[REF-62] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 6, "Typos", Page 289. 1st Edition. Addison Wesley. 2006.
+内容历史记录
+Submissions
Submission Date Submitter Organization
2006-12-15 CWEContent Team MITER
+修改
修改日期 Modifier Organization
2008-07-01 埃里克·达奇(Eric Dalci) Cigital
updated Potential_Mitigations, Time_of_Introduction
2008-09-08 CWEContent Team MITER
更新的描述,关系
2008-10-14 CWEContent Team MITER
updated Relationships
2009-05-27 CWEContent Team MITER
updated Demonstrative_Examples
2011-03-29 CWEContent Team MITER
更新的示范_examples,描述,势_MITIGITIONS
2011-06-01 CWEContent Team MITER
updated Common_Consequences, Relationships, Taxonomy_Mappings
2012-05-11 CWEContent Team MITER
更新了示范示例,参考,关系,分类_mappings
2014-07-30 CWEContent Team MITER
updated Relationships, Taxonomy_Mappings
2017-11-08 CWEContent Team MITER
updated Taxonomy_Mappings
2019-01-03 CWEContent Team MITER
updated Relationships, Taxonomy_Mappings
2020-02-24 CWEContent Team MITER
updated Relationships
2020-08-20 CWEContent Team MITER
updated Relationships
2021-03-15 CWEContent Team MITER
更新的示范_examples,描述,势_MITIGITIONS, Relationships
+先前的输入名称s
Change Date 先前的输入名称
2008-04-11 错误的字符串比较
More information is available — Please select a different filter.
页面最后更新:2023年1月31日

Use of the Common Weakness Enumeration (CWE) and the associated references from this website are subject to the使用条款. CWE is sponsored by theU.S. Department of Homeland Security(DHS)Cybersecurity and Infrastructure Security Agency(CISA),由Homeland Security Systems Engineering and Development Institute(HSSEDI) which is operated bymanbetx客户端首页(MITRE). Copyright © 2006–2023, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.