You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2017/11/08 20:54:09 UTC

svn commit: r1814642 - in /ofbiz/ofbiz-framework/trunk/applications: marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

Author: jleroux
Date: Wed Nov  8 20:54:09 2017
New Revision: 1814642

URL: http://svn.apache.org/viewvc?rev=1814642&view=rev
Log:
Fixed: [FB] Find Security Bugs
(OFBIZ-9973)

FindBugs embeds an option to Find Security Bugs. Here are fixes for 2 cases FB
reported. They both relate to a request parameter that could be corrupted. They
are respectively fixed using URLEncoder.encode() and File.getCanonicalFile()

There are other formatting and minor no functional changes.

Remains not fixed issues related with possible SQL injections that I'll possibly
look at later...

Modified:
    ofbiz/ofbiz-framework/trunk/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java
    ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

Modified: ofbiz/ofbiz-framework/trunk/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java?rev=1814642&r1=1814641&r2=1814642&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java (original)
+++ ofbiz/ofbiz-framework/trunk/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java Wed Nov  8 20:54:09 2017
@@ -18,6 +18,8 @@
  *******************************************************************************/
 package org.apache.ofbiz.marketing.tracking;
 
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
 import java.sql.Timestamp;
 import java.util.LinkedList;
 import java.util.List;
@@ -247,7 +249,12 @@ public class TrackingCodeEvents {
 
         // if site id exist in cookies then it is not required to create it, if exist with different site then create it
         int siteIdCookieAge = (60 * 60 * 24 * 365); // should this be configurable?
-        String siteId = request.getParameter("siteId");
+        String siteId = null;
+        try {
+            siteId = URLEncoder.encode(request.getParameter("siteId"), "UTF-8");
+        } catch (UnsupportedEncodingException e) {
+            Debug.logError(e, module);
+        }
         if (UtilValidate.isNotEmpty(siteId)) {
             String visitorSiteIdCookieName = "Ofbiz.TKCD.SiteId";
             String visitorSiteId = null;
@@ -264,7 +271,7 @@ public class TrackingCodeEvents {
 
             if (visitorSiteId == null || (visitorSiteId != null && !visitorSiteId.equals(siteId))) {
                 // if trackingCode.siteId is  not null  write a trackable cookie with name in the form: Ofbiz.TKCSiteId and timeout will be 60 * 60 * 24 * 365
-                Cookie siteIdCookie = new Cookie("Ofbiz.TKCD.SiteId" ,siteId);
+                Cookie siteIdCookie = new Cookie("Ofbiz.TKCD.SiteId", siteId);
                 siteIdCookie.setMaxAge(siteIdCookieAge);
                 siteIdCookie.setPath("/");
                 if (cookieDomain.length() > 0) siteIdCookie.setDomain(cookieDomain);
@@ -272,7 +279,7 @@ public class TrackingCodeEvents {
                 siteIdCookie.setHttpOnly(true);
                 response.addCookie(siteIdCookie);
                 // if trackingCode.siteId is  not null  write a trackable cookie with name in the form: Ofbiz.TKCSiteId and timeout will be 60 * 60 * 24 * 365
-                Cookie updatedTimeStampCookie = new Cookie("Ofbiz.TKCD.UpdatedTimeStamp" ,UtilDateTime.nowTimestamp().toString());
+                Cookie updatedTimeStampCookie = new Cookie("Ofbiz.TKCD.UpdatedTimeStamp", UtilDateTime.nowTimestamp().toString());
                 updatedTimeStampCookie.setMaxAge(siteIdCookieAge);
                 updatedTimeStampCookie.setPath("/");
                 if (cookieDomain.length() > 0) updatedTimeStampCookie.setDomain(cookieDomain);
@@ -293,7 +300,7 @@ public class TrackingCodeEvents {
         String prodCatalogId = trackingCode.getString("prodCatalogId");
         if (UtilValidate.isNotEmpty(prodCatalogId)) {
             session.setAttribute("CURRENT_CATALOG_ID", prodCatalogId);
-            CategoryWorker.setTrail(request, new LinkedList());
+            CategoryWorker.setTrail(request, new LinkedList<String>());
         }
 
         // if forward/redirect is needed, do a response.sendRedirect and return null to tell the control servlet to not do any other requests/views

Modified: ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java?rev=1814642&r1=1814641&r2=1814642&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java (original)
+++ ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java Wed Nov  8 20:54:09 2017
@@ -378,7 +378,7 @@ public class FrameImage {
             File file = new File(imageServerPath + "/preview/" +"/previewImage.jpg");
             file.delete();
             // Image Frame
-            BufferedImage bufImg1 = ImageIO.read(new File(imageServerPath + "/" + productId + "/" + imageName));
+            BufferedImage bufImg1 = ImageIO.read(new File(imageServerPath + "/" + productId + "/" + imageName).getCanonicalFile());
             BufferedImage bufImg2 = ImageIO.read(new File(imageServerPath + "/frame/" + frameImageName));
             
             int bufImgType;
@@ -436,10 +436,10 @@ public class FrameImage {
         return "success";
     }
     
-    public static String deleteFrameImage(HttpServletRequest request, HttpServletResponse response) {
+    public static String deleteFrameImage(HttpServletRequest request, HttpServletResponse response) throws IOException {
         Map<String, ? extends Object> context = UtilGenerics.checkMap(request.getParameterMap());
         String imageServerPath = FlexibleStringExpander.expandString(EntityUtilProperties.getPropertyValue("catalog", "image.management.path", (Delegator) context.get("delegator")), context);
-        File file = new File(imageServerPath + "/preview/" + "/previewImage.jpg");
+        File file = new File(imageServerPath + "/preview/" + "/previewImage.jpg").getCanonicalFile();
         if (file.exists()) {
             file.delete();
         }