You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2017/11/14 09:33:19 UTC
svn commit: r1815192 -
/ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java
Author: jleroux
Date: Tue Nov 14 09:33:19 2017
New Revision: 1815192
URL: http://svn.apache.org/viewvc?rev=1815192&view=rev
Log:
Improved: Fixing defects reported by FindBugs, package
org.apache.ofbiz.securityext.login.
(OFBIZ-9637)
No functional change.
I prefer to use URLEncoder.encode(reqParam, "UTF-8") rather than ESAPI HTML
encoder for 3 reasons:
* URLEncoder.encode() is sufficient to answer to HTTP response splitting using
Percent-encoding (aka URL encoding)
* Consistent and simpler code using basic Java
* Using "UTF-8" is (more than) recommended, see
https://docs.oracle.com/javase/8/docs/api/java/net/URLEncoder.html
I will check what using ESAPI HTML encoder entails. As JavaDOc says "Not doing
so may introduce incompatibilities." We have 30+ cases, they are maybe OK, but
we need to check...
Modified:
ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java
Modified: ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java?rev=1815192&r1=1815191&r2=1815192&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java (original)
+++ ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java Tue Nov 14 09:33:19 2017
@@ -35,7 +35,6 @@ import org.apache.commons.lang.RandomStr
import org.apache.ofbiz.base.crypto.HashCrypt;
import org.apache.ofbiz.base.util.Debug;
import org.apache.ofbiz.base.util.GeneralException;
-import org.apache.ofbiz.base.util.UtilCodec;
import org.apache.ofbiz.base.util.UtilFormatOut;
import org.apache.ofbiz.base.util.UtilHttp;
import org.apache.ofbiz.base.util.UtilMisc;
@@ -429,7 +428,7 @@ public class LoginEvents {
return cookieUsername;
}
- public static void setUsername(HttpServletRequest request, HttpServletResponse response) {
+ public static void setUsername(HttpServletRequest request, HttpServletResponse response) throws UnsupportedEncodingException {
HttpSession session = request.getSession();
Delegator delegator = (Delegator) request.getAttribute("delegator");
String domain = EntityUtilProperties.getPropertyValue("url", "cookie.domain", delegator);
@@ -437,7 +436,7 @@ public class LoginEvents {
synchronized (session) {
if (UtilValidate.isEmpty(getUsername(request))) {
// create the cookie and send it back
- String usernameParam = UtilCodec.getEncoder("html").encode(request.getParameter("USERNAME"));
+ String usernameParam = URLEncoder.encode(request.getParameter("USERNAME"), "UTF-8");
Cookie cookie = new Cookie(usernameCookieName, usernameParam);
cookie.setMaxAge(60 * 60 * 24 * 365);
cookie.setPath("/");
Re: svn commit: r1815192 -
/ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apa
che/ofbiz/securityext/login/LoginEvents.java
Posted by Jacques Le Roux <ja...@les7arts.com>.
Le 14/11/2017 à 10:33, jleroux@apache.org a écrit :
> Author: jleroux
> Date: Tue Nov 14 09:33:19 2017
> New Revision: 1815192
>
> URL:http://svn.apache.org/viewvc?rev=1815192&view=rev
> Log:
> Improved: Fixing defects reported by FindBugs, package
> org.apache.ofbiz.securityext.login.
> (OFBIZ-9637)
>
> No functional change.
>
> I prefer to use URLEncoder.encode(reqParam, "UTF-8") rather than ESAPI HTML
> encoder for 3 reasons:
> * URLEncoder.encode() is sufficient to answer to HTTP response splitting using
> Percent-encoding (aka URL encoding)
> * Consistent and simpler code using basic Java
> * Using "UTF-8" is (more than) recommended, see
> https://docs.oracle.com/javase/8/docs/api/java/net/URLEncoder.html
>
> I will check what using ESAPI HTML encoder entails. As JavaDOc says "Not doing
> so may introduce incompatibilities." We have 30+ cases, they are maybe OK, but
> we need to check...
Among the 46 cases, I see no problems since it's only used in the context of widgets (mostly content wrappers) and only for HTML, not request parameters.
Jacques