Author: jleroux
Date: Thu Aug 8 15:28:45 2019
New Revision: 1864716
URL:
http://svn.apache.org/viewvc?rev=1864716&view=revLog:
Fixed: [FB] Find Security Bugs
(OFBIZ-9973)
FindBugs is now deprecated and replaced by Spotbugs
Last time I forgot to encode productId as reported by Man Yue Mo from Semmle
This eventually fixes the "Relative path traversal" issue reported by Spotbugs
by encoding the whole file name.
Nevertheless Spotbugs continues to report the same issue in trunk but not in R16
I have not ideas why and I see no other possible issue.
I will backport and check again.
Modified:
ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
Modified: ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
URL:
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java?rev=1864716&r1=1864715&r2=1864716&view=diff==============================================================================
--- ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java (original)
+++ ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java Thu Aug 8 15:28:45 2019
@@ -30,7 +30,6 @@ import java.awt.image.RenderedImage;
import java.io.File;
import java.io.IOException;
import java.io.RandomAccessFile;
-import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.ByteBuffer;
import java.util.HashMap;
@@ -358,15 +357,7 @@ public class FrameImage {
String imageServerPath = FlexibleStringExpander.expandString(EntityUtilProperties.getPropertyValue("catalog", "image.management.path", delegator), context);
String productId = request.getParameter("productId");
- String imageName = null;
- try {
- imageName = URLEncoder.encode(request.getParameter("imageName"), "UTF-8");
- } catch (UnsupportedEncodingException e) {
- Debug.logError(e, "Error while saving TrackingCodeVisit", module);
- request.setAttribute("_ERROR_MESSAGE_", e.getMessage());
- return "error";
- }
-
+ String imageName = request.getParameter("imageName");
String dirPath = "/preview/";
File dir = new File(imageServerPath + dirPath);
@@ -401,13 +392,14 @@ public class FrameImage {
request.setAttribute("_ERROR_MESSAGE_", e.getMessage());
return "error";
}
+
if (UtilValidate.isNotEmpty(imageName)) {
File file = new File(imageServerPath + "/preview/" +"/previewImage.jpg");
if(!file.delete()) {
Debug.logError("File :" + file.getName() + ", couldn't be loaded", module);
}
// Image Frame
- BufferedImage bufImg1 = ImageIO.read(new File(imageServerPath + "/" + productId + "/" + imageName).getCanonicalFile()); // About Findbugs results, see OFBIZ-9973
+ BufferedImage bufImg1 = ImageIO.read(new File(URLEncoder.encode(imageServerPath + "/" + productId + "/" + imageName, "UTF-8")).getCanonicalFile());
BufferedImage bufImg2 = ImageIO.read(new File(imageServerPath + "/frame/" + frameImageName));
int bufImgType;
Locked
