svn commit: r1864718 - in /ofbiz/ofbiz-framework/branches/release17.12: ./ applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r1864718 - in /ofbiz/ofbiz-framework/branches/release17.12: ./ applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

jleroux@apache.org
Author: jleroux
Date: Thu Aug  8 15:29:34 2019
New Revision: 1864718

URL: http://svn.apache.org/viewvc?rev=1864718&view=rev
Log:
"Applied fix from trunk for revision: 1864716"
------------------------------------------------------------------------
r1864716 | jleroux | 2019-08-08 17:28:45 +0200 (jeu. 08 août 2019) | 15 lignes

Fixed: [FB] Find Security Bugs
(OFBIZ-9973)

FindBugs is now deprecated and replaced by Spotbugs

Last time I forgot to encode productId as reported by Man Yue Mo from Semmle

This eventually fixes the "Relative path traversal" issue reported by Spotbugs
by encoding the whole file name.

Nevertheless Spotbugs continues to report the same issue in trunk but not in R16
I have not ideas why and I see no other possible issue.

I will backport and check again.

------------------------------------------------------------------------

Modified:
    ofbiz/ofbiz-framework/branches/release17.12/   (props changed)
    ofbiz/ofbiz-framework/branches/release17.12/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

Propchange: ofbiz/ofbiz-framework/branches/release17.12/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Aug  8 15:29:34 2019
@@ -10,4 +10,4 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1819947,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826780,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835871,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418,1845420,1845466,1845544,1845552,1845558,1845933,1845995,1846097,1846107,1846214,1846594,1846632,1847398,1847478,1847670,
 1847715,1847890,1848263,1848336,1848386,1848398,1848441,1848444,1848447,1848449,1848467,1848469,1848745,1848849-1848850,1849021,1849165,1849191,1849193,1849275,1849467,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850647,1850685,1850694,1850914,1850918,1850948,1850953,1851006,1851068,1851074,1851130,1851158,1851163,1851200,1851247,1851319,1851350,1851805,1851998,1852587,1852818,1853070,1853109,1853691,1853745,1853750,1854306,1854457,1855078,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856405,1856455,1856459-1856460,1856484,1856598,1856617,1856667,1857088,1857099,1857173,1857180,1857213,1857392,1857617,1857692,1857813,1858035,1858250,1858256,1858275,1858319,1858432,1858444,1858523,1858539,1858965,1858980,1859033,1859055,1859087,1859255,1859263,1859543,1859571,1859576,1859691,1859694,1859698,1859704,1859708,1859735,1859796,1859800,1859807,1859871,1859877,1859882,1859915,1859931,1859968,1859972,1859981,1860082,1860141,1860274,1860357,1860526,1860592,18606
 13,1860797,1861615,1861837,1861849,1861859,1861869,1862045-1862046,1862207,1862271,1862278,1862466,1862648,1863560
+/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1819947,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826780,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835871,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418,1845420,1845466,1845544,1845552,1845558,1845933,1845995,1846097,1846107,1846214,1846594,1846632,1847398,1847478,1847670,
 1847715,1847890,1848263,1848336,1848386,1848398,1848441,1848444,1848447,1848449,1848467,1848469,1848745,1848849-1848850,1849021,1849165,1849191,1849193,1849275,1849467,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850647,1850685,1850694,1850914,1850918,1850948,1850953,1851006,1851068,1851074,1851130,1851158,1851163,1851200,1851247,1851319,1851350,1851805,1851998,1852587,1852818,1853070,1853109,1853691,1853745,1853750,1854306,1854457,1855078,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856405,1856455,1856459-1856460,1856484,1856598,1856617,1856667,1857088,1857099,1857173,1857180,1857213,1857392,1857617,1857692,1857813,1858035,1858250,1858256,1858275,1858319,1858432,1858444,1858523,1858539,1858965,1858980,1859033,1859055,1859087,1859255,1859263,1859543,1859571,1859576,1859691,1859694,1859698,1859704,1859708,1859735,1859796,1859800,1859807,1859871,1859877,1859882,1859915,1859931,1859968,1859972,1859981,1860082,1860141,1860274,1860357,1860526,1860592,18606
 13,1860797,1861615,1861837,1861849,1861859,1861869,1862045-1862046,1862207,1862271,1862278,1862466,1862648,1863560,1864716

Modified: ofbiz/ofbiz-framework/branches/release17.12/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java?rev=1864718&r1=1864717&r2=1864718&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/branches/release17.12/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java (original)
+++ ofbiz/ofbiz-framework/branches/release17.12/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java Thu Aug  8 15:29:34 2019
@@ -30,7 +30,6 @@ import java.awt.image.RenderedImage;
 import java.io.File;
 import java.io.IOException;
 import java.io.RandomAccessFile;
-import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
 import java.nio.ByteBuffer;
 import java.util.HashMap;
@@ -331,15 +330,7 @@ public class FrameImage {
         String imageServerPath = FlexibleStringExpander.expandString(EntityUtilProperties.getPropertyValue("catalog", "image.management.path", delegator), context);
 
         String productId = request.getParameter("productId");
-        String imageName = null;
-        try {
-            imageName = URLEncoder.encode(request.getParameter("imageName"), "UTF-8");
-        } catch (UnsupportedEncodingException e) {
-            Debug.logError(e, "Error while saving TrackingCodeVisit", module);
-            request.setAttribute("_ERROR_MESSAGE_", e.getMessage());
-            return "error";
-        }
-
+        String imageName = request.getParameter("imageName");
 
         String dirPath = "/preview/";
         File dir = new File(imageServerPath + dirPath);
@@ -374,13 +365,14 @@ public class FrameImage {
             request.setAttribute("_ERROR_MESSAGE_", e.getMessage());
             return "error";
         }
+        
         if (UtilValidate.isNotEmpty(imageName)) {
             File file = new File(imageServerPath + "/preview/" +"/previewImage.jpg");
             if(!file.delete()) {
                 Debug.logError("File :" + file.getName() + ", couldn't be loaded", module);
             }
             // Image Frame
-            BufferedImage bufImg1 = ImageIO.read(new File(imageServerPath + "/" + productId + "/" + imageName).getCanonicalFile()); // About Findbugs results, see OFBIZ-9973
+            BufferedImage bufImg1 = ImageIO.read(new File(URLEncoder.encode(imageServerPath + "/" + productId + "/" + imageName, "UTF-8")).getCanonicalFile());
             BufferedImage bufImg2 = ImageIO.read(new File(imageServerPath + "/frame/" + frameImageName));
 
             int bufImgType;