You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ofbiz.apache.org by jl...@apache.org on 2017/11/09 08:54:46 UTC

svn commit: r1814709 - /ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

Author: jleroux
Date: Thu Nov  9 08:54:46 2017
New Revision: 1814709

URL: http://svn.apache.org/viewvc?rev=1814709&view=rev
Log:
Fixed: [FB] Find Security Bugs
(OFBIZ-9973)

I missed to encode the request parameter prior to use the canonical pathname

Nevertheless Findbugs continues to complains about missing canonical pathname

I tried 
String safePath = (new File(imageServerPath + "/" + productId + "/" + imageName))
                  .getCanonicalPath();
BufferedImage bufImg1 = ImageIO.read(FileUtil.getFile(safePath));
instead of
BufferedImage bufImg1 = ImageIO.read(new File(imageServerPath + "/" + productId 
                        + "/" + imageName).getCanonicalFile());

Same Findbugs report, I consider it's a false positive and keep the later

Modified:
    ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

Modified: ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java?rev=1814709&r1=1814708&r2=1814709&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java (original)
+++ ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java Thu Nov  9 08:54:46 2017
@@ -30,6 +30,8 @@ import java.awt.image.RenderedImage;
 import java.io.File;
 import java.io.IOException;
 import java.io.RandomAccessFile;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
 import java.nio.ByteBuffer;
 import java.util.HashMap;
 import java.util.Locale;
@@ -336,7 +338,15 @@ public class FrameImage {
         String imageServerPath = FlexibleStringExpander.expandString(EntityUtilProperties.getPropertyValue("catalog", "image.management.path", delegator), context);
         
         String productId = request.getParameter("productId");
-        String imageName = request.getParameter("imageName");
+        String imageName = null;
+        try {
+            imageName = URLEncoder.encode(request.getParameter("imageName"), "UTF-8");
+        } catch (UnsupportedEncodingException e) {
+            Debug.logError(e, "Error while saving TrackingCodeVisit", module);
+            request.setAttribute("_ERROR_MESSAGE_", e.getMessage());
+            return "error";
+        }
+        
         
         String dirPath = "/preview/";
         File dir = new File(imageServerPath + dirPath);