OFBiz OFBiz - Notifications

[jira] [Closed] (OFBIZ-9823) [FB] Package org.apache.ofbiz.marketing.tracking

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Closed] (OFBIZ-9823) [FB] Package org.apache.ofbiz.marketing.tracking

Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-9823?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Brohl closed OFBIZ-9823.
--------------------------------
       Resolution: Implemented
    Fix Version/s: Upcoming Release

Thanks Dennis,

your patch is in trunk r1817692.

The patch was modified because the repeated conditional check in
TrackingCodeEvents was simplified too much.


> [FB] Package org.apache.ofbiz.marketing.tracking
> ------------------------------------------------
>
>                 Key: OFBIZ-9823
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9823
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: marketing
>    Affects Versions: Trunk
>            Reporter: Dennis Balkir
>            Assignee: Michael Brohl
>            Priority: Minor
>             Fix For: Upcoming Release
>
>         Attachments: OFBIZ-9823_org.apache.ofbiz.marketing.tracking_bugfixes.patch
>
>
> --- TrackingCodeEvents.java:261, RpC_REPEATED_CONDITIONAL_TEST
> RpC: Repeated conditional test in org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue, HttpServletRequest, HttpServletResponse, String)
> The code contains a conditional test is performed twice, one right after the other (e.g., x == 0 || x == 0). Perhaps the second occurrence is intended to be something else (e.g., x == 0 || y == 0).
> --- TrackingCodeEvents.java:261, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of visitorSiteId, which is known to be non-null in org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue, HttpServletRequest, HttpServletResponse, String)
> This method contains a redundant check of a known non-null value against the constant null.
> --- TrackingCodeEvents.java:263, HRS_REQUEST_PARAMETER_TO_COOKIE
> HRS: HTTP cookie formed from untrusted input in org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue, HttpServletRequest, HttpServletResponse, String)
> This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this cookie is added to an HTTP response, it will allow a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information.
> FindBugs looks only for the most blatant, obvious cases of HTTP response splitting. If FindBugs found any, you almost certainly have more vulnerabilities that FindBugs doesn't report. If you are concerned about HTTP response splitting, you should seriously consider using a commercial static analysis or pen-testing tool.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
Free forum by Nabble Edit this page