Character information in Java SE 8 is based on the Unicode Standard, version 6.2.0 [Unicode 2012]. However, Java programs must often work with string data represented in various character sets. Java 7 introduced the
StandardCharsets Class that specifies character sets that are guaranteed to be available on every implementation of the Java platform including ISO Latin Alphabet No. 1, Seven-bit ASCII, UTF 8, and UTF 16.
The Java language assumes that every character in a string occupies 16 bits (a Java
char). Unfortunately, neither the Java
byte nor Java
char data types can represent all possible Unicode characters. Many strings are stored or communicated using encodings such as UTF-8 that support characters with varying sizes.
While Java strings are stored as an array of characters and can be represented as an array of bytes, a single character in the string might be represented by two or more consecutive elements of type
byte or of type
char. Splitting a
byte array risks splitting a multibyte character.
Ignoring the possibility of supplementary characters, multibyte characters, or combining characters (characters that modify other characters) may allow an attacker to bypass input validation checks.
A combining character sequence is a base character followed by any number of combining characters. The combining character sequence forms a grapheme, which is a minimally distinctive unit of writing in the context of a particular writing system. For example, the grapheme
ü can be composed by combining the base character
u) with the combining diacritical mark
¨). It may also be represented by the single Unicode character
Multibyte encodings are used for character sets that require more than one byte to uniquely identify each constituent character. For example, the Japanese encoding Shift-JIS (shown below) supports multibyte encoding where the maximum character length is two bytes (one leading and one trailing byte).
The trailing byte ranges overlap the range of both the single-byte and lead-byte characters. When a multibyte character is separated across a buffer boundary, it can be interpreted differently than if it were not separated across the buffer boundary; this difference arises because of the ambiguity of its composing bytes [Phillips 2005].
char data type is based on the original Unicode specification, which defined characters as fixed-width 16-bit entities. The Unicode Standard has since been changed to allow for characters whose representation requires more than 16 bits. The range of legal code points is now U+0000 to U+10FFFF, known as Unicode scalar value.Characters whose code points are greater than U+FFFF are called supplementary characters. Such characters are generally rare, but some are used, for example, as part of Chinese and Japanese personal names. To support supplementary characters without changing the
char primitive data type and causing incompatibility with previous Java programs, supplementary characters are defined by a pair of code point values that are called surrogates. According to the Java API [API 2014] class
Character documentation (Unicode Character Representations):
The Java platform uses the UTF-16 representation in
chararrays and in the
StringBufferclasses. In this representation, supplementary characters are represented as a pair of
charvalues, the first from the high-surrogates range, (\uD800-\uDBFF), the second from the low-surrogates range (\uDC00-\uDFFF)..
Noncompliant Code Example (Read)
This noncompliant code example tries to read up to 1024 bytes from a socket and build a
String from this data. It does this by reading the bytes in a while loop, as recommended by rule FIO10-J. Ensure the array is filled when using read() to fill an array. If it ever detects that the socket has more than 1024 bytes available, it throws an exception. This prevents untrusted input from potentially exhausting the program's memory.
This code fails to account for the interaction between characters represented with a multibyte encoding and the boundaries between the loop iterations. If the last byte read from the data stream in one
read() operation is the leading byte of a multibyte character, the trailing bytes are not encountered until the next iteration of the
while loop. However, multibyte encoding is resolved during construction of the new
String within the loop. Consequently, the multibyte encoding can be interpreted incorrectly.
Compliant Solution (Read)
This compliant solution defers creation of the string until all the data is available.
This code avoids splitting multi-byte encoded characters across buffers by deferring construction of the result string until the data has been read in full.
Compliant Solution (
This compliant solution uses a
Reader rather than an
Reader class converts bytes into characters on the fly, so it avoids the hazard of splitting multibyte characters. This routine aborts if the socket provides more than 1024 characters rather than 1024 bytes.
Noncompliant Code Example (Substring)
This noncompliant code example attempts to trim leading letters from
string. However, this method may fail because methods that only accept a
char value cannot support supplementary characters. According to the Java API [API 2014] class
charvalues from the surrogate ranges as undefined characters. For example,
false, even though this specific value if followed by any low-surrogate value in a string would represent a letter.
Because the method only examines one character at a time, it will also separate combining character sequences.
Noncompliant Code Example (Substring)
This noncompliant code example corrects the problem with supplementary characters by using the integer form of
Character.isLetter() method that accepts a Unicode code point as an
int argument. Java library methods that accept an
int value support all Unicode characters, including supplementary characters. However, this method still fails to handle combining characters because it only examines one character at a time.
Compliant Solution (Substring)
BreakIteratorclass implements methods for finding the location of boundaries in text. Instances of
BreakIteratormaintain a current position and scan over text returning the index of characters where boundaries occur.
The boundaries returned may be those of supplementary characters, combining character sequences, or ligature clusters. For example, an accented character might be stored as a base character and a diacritical mark.
To perform locale-sensitive
String comparisons for searching and sorting, use the
Forming strings consisting of partial characters can result in unexpected behavior.