You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Dennis Balkir (JIRA)" <ji...@apache.org> on 2017/08/25 14:20:00 UTC

[jira] [Updated] (OFBIZ-9637) [FB] Package org.apache.ofbiz.securityext.login

     [ https://issues.apache.org/jira/browse/OFBIZ-9637?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dennis Balkir updated OFBIZ-9637:
---------------------------------
    Attachment: OFBIZ-9637_org.apache.ofbiz.securityext_bugfixes.patch

- Line 89: added a default Locale to {{toLowerCase}}
- Line 92: added a default Locale to {{toLowerCase}}
- Line 163: added a default Locale to {{toLowerCase}}
- Line 223: added a default Locale to {{toLowerCase}}
- Line 248: added a default Locale to {{toLowerCase}}
- Line 253: removed unnecessary casting from String to Object
- Line 284: deleted unnecessary allocation of null -> if the try is executed properly, party won’t get allocated with null, it it isn’t executed properly and the program executes the catch, party is already null since it was declared as null in line 279
- Line 419: changed the code, so that {{cookies}} is casted to a String properly

- Last error: added an encoder, which prevents vulnerability through using untrusted parameters to construct a HTTPCookie

> [FB] Package org.apache.ofbiz.securityext.login
> -----------------------------------------------
>
>                 Key: OFBIZ-9637
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9637
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: securityext
>    Affects Versions: Trunk
>            Reporter: Dennis Balkir
>            Priority: Minor
>         Attachments: OFBIZ-9637_org.apache.ofbiz.securityext_bugfixes.patch
>
>
> - LoginEvents.java:88, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.securityext.login.LoginEvents.saveEntryParams(HttpServletRequest, HttpServletResponse)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> - LoginEvents.java:162, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.securityext.login.LoginEvents.showPasswordHint(HttpServletRequest, HttpServletResponse)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> - LoginEvents.java:222, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.securityext.login.LoginEvents.emailPassword(HttpServletRequest, HttpServletResponse)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> - LoginEvents.java:417, DMI_INVOKING_TOSTRING_ON_ARRAY
> USELESS_STRING: Invocation of toString on cookies in org.apache.ofbiz.securityext.login.LoginEvents.getUsername(HttpServletRequest)
> The code invokes toString on an array, which will generate a fairly useless result such as [C@16f0472. Consider using Arrays.toString to convert the array into a readable String that gives the contents of the array. See Programming Puzzlers, chapter 3, puzzle 12.
> - LoginEvents.java:437, HRS_REQUEST_PARAMETER_TO_COOKIE
> HRS: HTTP cookie formed from untrusted input in org.apache.ofbiz.securityext.login.LoginEvents.setUsername(HttpServletRequest, HttpServletResponse)
> This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this cookie is added to an HTTP response, it will allow a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information.
> FindBugs looks only for the most blatant, obvious cases of HTTP response splitting. If FindBugs found any, you almost certainly have more vulnerabilities that FindBugs doesn't report. If you are concerned about HTTP response splitting, you should seriously consider using a commercial static analysis or pen-testing tool.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)