OFBiz › OFBiz - Commits

svn commit: r1737442 - in /ofbiz/branches/release14.12: ./ applications/order/src/org/ofbiz/order/order/ applications/product/src/org/ofbiz/product/product/

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

svn commit: r1737442 - in /ofbiz/branches/release14.12: ./ applications/order/src/org/ofbiz/order/order/ applications/product/src/org/ofbiz/product/product/

Author: jleroux
Date: Fri Apr 1 20:35:04 2016
New Revision: 1737442

URL: http://svn.apache.org/viewvc?rev=1737442&view=rev
Log:
"Applied fix from trunk for revision: 1737440" (conflicts handled by hand: ProductConfigItemContentWrapper.java and CategoryContentWrapper.java have no cacheKey)
------------------------------------------------------------------------
r1737440 | jleroux | 2016-04-01 22:27:13 +0200 (ven. 01 avr. 2016) | 11 lignes

Fixes a possible security issue reported by Pascal Proulx at https://issues.apache.org/jira/browse/OFBIZ-6973 : "Flaw in content wrapper cache handling with encoderType"

In ProductContentWrapper#getProductContentAsText and all similar content wrappers using a cache, the cacheKey does not include the new encoderType:
String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId");

This makes it possible for subsequent calls on the same wrapper using different encoderTypes to return content having the wrong encoding and create potential security flaws.

The key should include the encoderType:
String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId") + SEPARATOR + encoderType;

jleroux: I fixed all possible such occurrences (ie when encoderType is used)
------------------------------------------------------------------------

Modified:
ofbiz/branches/release14.12/ (props changed)
ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/order/OrderContentWrapper.java
ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductContentWrapper.java
ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductPromoContentWrapper.java

Propchange: ofbiz/branches/release14.12/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Apr 1 20:35:04 2016
@@ -8,4 +8,4 @@
/ofbiz/branches/json-integration-refactoring:1634077-1635900
/ofbiz/branches/multitenant20100310:921280-927264
/ofbiz/branches/release13.07:1547657
-/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,
1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065
77,1706589,1706591,1706593,1706694,1707837,1707857,1708274,1708341,1708742,1708930,1709117,1710178,1710348,1711513,1712971,1714244,1714410,1714415,1714571,1714657,1715477-1715478,1715485,1715501,1716319,1717058,1717180,1717682,1717710,1717760,1718023,1718109,1719094,1719872,1720883,1721067,1721093,1721625,1722712,1723007,1723248,1724402,1724566,1724763,1724916,1724918,1724925,1724930,1724940,1724943,1724946,1724951,1724957,1724978,1725217,1725257,1725561,1725574,1726388,1726493,1726828,1728398,1729005,1729609,1729809,1730035,1730456,1730735-1730736,1730882,1730889,1731359,1731382,1731396,1732721,1733951,1733956,1734246,1734269,1734276,1734912,1734918,1735244,1735385,1735569,1735731,1735734,1735750,1735773,1736083,1736087,1736272,1736434,1736851,1736854,1737156
+/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,
1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065
77,1706589,1706591,1706593,1706694,1707837,1707857,1708274,1708341,1708742,1708930,1709117,1710178,1710348,1711513,1712971,1714244,1714410,1714415,1714571,1714657,1715477-1715478,1715485,1715501,1716319,1717058,1717180,1717682,1717710,1717760,1718023,1718109,1719094,1719872,1720883,1721067,1721093,1721625,1722712,1723007,1723248,1724402,1724566,1724763,1724916,1724918,1724925,1724930,1724940,1724943,1724946,1724951,1724957,1724978,1725217,1725257,1725561,1725574,1726388,1726493,1726828,1728398,1729005,1729609,1729809,1730035,1730456,1730735-1730736,1730882,1730889,1731359,1731382,1731396,1732721,1733951,1733956,1734246,1734269,1734276,1734912,1734918,1735244,1735385,1735569,1735731,1735734,1735750,1735773,1736083,1736087,1736272,1736434,1736851,1736854,1737156,1737440

Modified: ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/order/OrderContentWrapper.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/order/OrderContentWrapper.java?rev=1737442&r1=1737441&r2=1737442&view=diff
==============================================================================
--- ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/order/OrderContentWrapper.java (original)
+++ ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/order/OrderContentWrapper.java Fri Apr 1 20:35:04 2016
@@ -97,7 +97,7 @@ public class OrderContentWrapper impleme

String orderItemSeqId = (order.getEntityName().equals("OrderItem")? order.getString("orderItemSeqId"): "_NA_");

- String cacheKey = orderContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + order.get("orderId") + SEPARATOR + orderItemSeqId;
+ String cacheKey = orderContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + order.get("orderId") + SEPARATOR + orderItemSeqId + SEPARATOR + encoderType;
try {
String cachedValue = orderContentCache.get(cacheKey);
if (cachedValue != null) {

Modified: ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductContentWrapper.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductContentWrapper.java?rev=1737442&r1=1737441&r2=1737442&view=diff
==============================================================================
--- ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductContentWrapper.java (original)
+++ ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductContentWrapper.java Fri Apr 1 20:35:04 2016
@@ -108,7 +108,7 @@ public class ProductContentWrapper imple
/* caching: there is one cache created, "product.content" Each product's content is cached with a key of
* contentTypeId::locale::mimeType::productId, or whatever the SEPARATOR is defined above to be.
*/
- String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId");
+ String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId") + SEPARATOR + encoderType;
try {
String cachedValue = productContentCache.get(cacheKey);
if (cachedValue != null) {

Modified: ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductPromoContentWrapper.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductPromoContentWrapper.java?rev=1737442&r1=1737441&r2=1737442&view=diff
==============================================================================
--- ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductPromoContentWrapper.java (original)
+++ ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductPromoContentWrapper.java Fri Apr 1 20:35:04 2016
@@ -112,7 +112,7 @@ public class ProductPromoContentWrapper
/* caching: there is one cache created, "product.promo.content" Each productPromo's content is cached with a key of
* contentTypeId::locale::mimeType::productPromoId, or whatever the SEPARATOR is defined above to be.
*/
- String cacheKey = productPromoContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + productPromo.get("productPromoId");
+ String cacheKey = productPromoContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + productPromo.get("productPromoId") + SEPARATOR + encoderType;
try {
String cachedValue = productPromoContentCache.get(cacheKey);
if (cachedValue != null) {