OFBiz OFBiz - Dev

[jira] [Comment Edited] (OFBIZ-6973) Flaw in content wrapper cache handling with encoderType

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Comment Edited] (OFBIZ-6973) Flaw in content wrapper cache handling with encoderType

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-6973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15222675#comment-15222675 ]

Wai edited comment on OFBIZ-6973 at 4/2/16 3:18 AM:
----------------------------------------------------

Since this cache is a static variable in ProductPromoContentWrapper, ProductContentWrapper
ProductConfigItemContentWrapper, CategoryContentWrapper, OrderContentWrapper. I think it would be useful to include the tenantId as well.  Since in multitenant mode all tenants would be using the same cache.

Come to think of it, this should be applied to all classes that define a static UtilCache.

Jacque Leroux:
Should I create a report for this?



was (Author: wt):
Since this cache is a static variable in ProductPromoContentWrapper, ProductContentWrapper
ProductConfigItemContentWrapper, CategoryContentWrapper, OrderContentWrapper. I think it would be useful to include the tenantId as well.  Since in multitenant mode all tenants would be using the same cache.


> Flaw in content wrapper cache handling with encoderType
> -------------------------------------------------------
>
>                 Key: OFBIZ-6973
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6973
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ALL APPLICATIONS
>    Affects Versions: Release Branch 14.12
>            Reporter: P Proulx
>            Assignee: Jacques Le Roux
>             Fix For: 14.12.01, Upcoming Branch, 15.12.01
>
>
> In Ofbiz 14.12 branch there is a flaw in the patches added in ticket
> https://issues.apache.org/jira/browse/OFBIZ-6669
> In ProductContentWrapper#getProductContentAsText and all similar content wrappers using a cache, the cacheKey does not include the new encoderType:
> {code}
>             String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId");
> {code}
> This makes it possible for subsequent calls on the same wrapper using different encoderTypes to return content having the wrong encoding and create potential security flaws.
> The key should include the encoderType:
> {code}
>                 String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId")  + SEPARATOR + encoderType;
> {code}
> I leave you to find all the occurrences.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Free forum by Nabble Edit this page