OFBiz OFBiz - Commits

svn commit: r1814646 - in /ofbiz/branches/release16.11: ./ applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

svn commit: r1814646 - in /ofbiz/branches/release16.11: ./ applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

jleroux@apache.org
Author: jleroux
Date: Wed Nov  8 21:00:58 2017
New Revision: 1814646

URL: http://svn.apache.org/viewvc?rev=1814646&view=rev
Log:
"Applied fix from trunk framework for revision: 1814644"
------------------------------------------------------------------------
Fixed: [FB] Find Security Bugs
(OFBIZ-9973)

FindBugs embeds an option to Find Security Bugs. Here are fixes for 2 cases FB
reported. They both relate to a request parameter that could be corrupted. They
are respectively fixed using URLEncoder.encode() and File.getCanonicalFile()

There are other formatting and minor no functional changes.

Remains not fixed issues related with possible SQL injections that I'll possibly
look at later...
------------------------------------------------------------------------

Modified:
    ofbiz/branches/release16.11/   (props changed)
    ofbiz/branches/release16.11/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java
    ofbiz/branches/release16.11/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

Propchange: ofbiz/branches/release16.11/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Nov  8 21:00:58 2017
@@ -10,5 +10,5 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801318-1801319,1801336,1801340,1801346,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814501,1814591
+/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801318-1801319,1801336,1801340,1801346,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814501,1814591,1814642,1814644
 /ofbiz/trunk:1770481,1770490,1770540,1771440,1771448,1771516,1771935,1772346,1772880,1774772,1775441,1779724,1780659,1781109,1781125,1781979,1782498,1782520

Modified: ofbiz/branches/release16.11/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java?rev=1814646&r1=1814645&r2=1814646&view=diff
==============================================================================
--- ofbiz/branches/release16.11/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java (original)
+++ ofbiz/branches/release16.11/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java Wed Nov  8 21:00:58 2017
@@ -18,6 +18,8 @@
  *******************************************************************************/
 package org.apache.ofbiz.marketing.tracking;
 
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
 import java.sql.Timestamp;
 import java.util.LinkedList;
 import java.util.List;
@@ -243,7 +245,12 @@ public class TrackingCodeEvents {
 
         // if site id exist in cookies then it is not required to create it, if exist with different site then create it
         int siteIdCookieAge = (60 * 60 * 24 * 365); // should this be configurable?
-        String siteId = request.getParameter("siteId");
+        String siteId = null;
+        try {
+            siteId = URLEncoder.encode(request.getParameter("siteId"), "UTF-8");
+        } catch (UnsupportedEncodingException e) {
+            Debug.logError(e, "Error while saving TrackingCodeVisit", module);
+        }
         if (UtilValidate.isNotEmpty(siteId)) {
             String visitorSiteIdCookieName = "Ofbiz.TKCD.SiteId";
             String visitorSiteId = null;
@@ -260,13 +267,13 @@ public class TrackingCodeEvents {
 
             if (visitorSiteId == null || (visitorSiteId != null && !visitorSiteId.equals(siteId))) {
                 // if trackingCode.siteId is  not null  write a trackable cookie with name in the form: Ofbiz.TKCSiteId and timeout will be 60 * 60 * 24 * 365
-                Cookie siteIdCookie = new Cookie("Ofbiz.TKCD.SiteId" ,siteId);
+                Cookie siteIdCookie = new Cookie("Ofbiz.TKCD.SiteId", siteId);
                 siteIdCookie.setMaxAge(siteIdCookieAge);
                 siteIdCookie.setPath("/");
                 if (cookieDomain.length() > 0) siteIdCookie.setDomain(cookieDomain);
                     response.addCookie(siteIdCookie);
                 // if trackingCode.siteId is  not null  write a trackable cookie with name in the form: Ofbiz.TKCSiteId and timeout will be 60 * 60 * 24 * 365
-                Cookie updatedTimeStampCookie = new Cookie("Ofbiz.TKCD.UpdatedTimeStamp" ,UtilDateTime.nowTimestamp().toString());
+                Cookie updatedTimeStampCookie = new Cookie("Ofbiz.TKCD.UpdatedTimeStamp", UtilDateTime.nowTimestamp().toString());
                 updatedTimeStampCookie.setMaxAge(siteIdCookieAge);
                 updatedTimeStampCookie.setPath("/");
                 if (cookieDomain.length() > 0) updatedTimeStampCookie.setDomain(cookieDomain);
@@ -285,7 +292,7 @@ public class TrackingCodeEvents {
         String prodCatalogId = trackingCode.getString("prodCatalogId");
         if (UtilValidate.isNotEmpty(prodCatalogId)) {
             session.setAttribute("CURRENT_CATALOG_ID", prodCatalogId);
-            CategoryWorker.setTrail(request, new LinkedList());
+            CategoryWorker.setTrail(request, new LinkedList<String>());
         }
 
         // if forward/redirect is needed, do a response.sendRedirect and return null to tell the control servlet to not do any other requests/views

Modified: ofbiz/branches/release16.11/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java?rev=1814646&r1=1814645&r2=1814646&view=diff
==============================================================================
--- ofbiz/branches/release16.11/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java (original)
+++ ofbiz/branches/release16.11/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java Wed Nov  8 21:00:58 2017
@@ -378,7 +378,7 @@ public class FrameImage {
             File file = new File(imageServerPath + "/preview/" +"/previewImage.jpg");
             file.delete();
             // Image Frame
-            BufferedImage bufImg1 = ImageIO.read(new File(imageServerPath + "/" + productId + "/" + imageName));
+            BufferedImage bufImg1 = ImageIO.read(new File(imageServerPath + "/" + productId + "/" + imageName).getCanonicalFile());
             BufferedImage bufImg2 = ImageIO.read(new File(imageServerPath + "/frame/" + frameImageName));
             
             int bufImgType;
@@ -436,10 +436,10 @@ public class FrameImage {
         return "success";
     }
     
-    public static String deleteFrameImage(HttpServletRequest request, HttpServletResponse response) {
+    public static String deleteFrameImage(HttpServletRequest request, HttpServletResponse response) throws IOException {
         Map<String, ? extends Object> context = UtilGenerics.checkMap(request.getParameterMap());
         String imageServerPath = FlexibleStringExpander.expandString(EntityUtilProperties.getPropertyValue("catalog", "image.management.path", (Delegator) context.get("delegator")), context);
-        File file = new File(imageServerPath + "/preview/" + "/previewImage.jpg");
+        File file = new File(imageServerPath + "/preview/" + "/previewImage.jpg").getCanonicalFile();
         if (file.exists()) {
             file.delete();
         }


Free forum by Nabble Edit this page