You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "P Proulx (JIRA)" <ji...@apache.org> on 2016/04/01 01:00:29 UTC
[jira] [Updated] (OFBIZ-6973) Flaw in content wrapper cache
handling with encoderType
[ https://issues.apache.org/jira/browse/OFBIZ-6973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
P Proulx updated OFBIZ-6973:
----------------------------
Description:
In Ofbiz 14.12 branch there is a flaw in the patches added in ticket
https://issues.apache.org/jira/browse/OFBIZ-6669
In ProductContentWrapper#getProductContentAsText and all similar content wrappers using a cache, the cacheKey does not include the new encoderType:
String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId");
This makes it possible for subsequent calls on the same wrapper using different encoderTypes to return content having the wrong encoding and create potential security flaws.
They should enclude the encoderType:
String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId") + SEPARATOR + encoderType;
I leave you to find all the occurrences.
was:
In Ofbiz 14.12 branch there is a flaw in the patches added in ticket
https://issues.apache.org/jira/browse/OFBIZ-6669
In ProductContentWrapper#getProductContentAsText and all similar content wrappers using a cache, the cacheKey does not include the new encoderType:
{{{
String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId");
}}}
This makes it possible for subsequent calls on the same wrapper using different encoderTypes to return content having the wrong encoding and create potential security flaws.
They should enclude the encoderType:
{{{
String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId") + SEPARATOR + encoderType;
}}}
I leave you to find all the occurrences.
> Flaw in content wrapper cache handling with encoderType
> -------------------------------------------------------
>
> Key: OFBIZ-6973
> URL: https://issues.apache.org/jira/browse/OFBIZ-6973
> Project: OFBiz
> Issue Type: Bug
> Components: ALL APPLICATIONS
> Affects Versions: Release Branch 14.12
> Reporter: P Proulx
>
> In Ofbiz 14.12 branch there is a flaw in the patches added in ticket
> https://issues.apache.org/jira/browse/OFBIZ-6669
> In ProductContentWrapper#getProductContentAsText and all similar content wrappers using a cache, the cacheKey does not include the new encoderType:
> String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId");
> This makes it possible for subsequent calls on the same wrapper using different encoderTypes to return content having the wrong encoding and create potential security flaws.
> They should enclude the encoderType:
> String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId") + SEPARATOR + encoderType;
> I leave you to find all the occurrences.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)