svn commit: r1814646 - in /ofbiz/branches/release16.11: ./ applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

Wed, 08 Nov 2017 13:01:10 -0800 

Author: jleroux
Date: Wed Nov  8 21:00:58 2017
New Revision: 1814646

URL: http://svn.apache.org/viewvc?rev=1814646&view=rev
Log:
"Applied fix from trunk framework for revision: 1814644"
------------------------------------------------------------------------
Fixed: [FB] Find Security Bugs
(OFBIZ-9973)

FindBugs embeds an option to Find Security Bugs. Here are fixes for 2 cases FB
reported. They both relate to a request parameter that could be corrupted. They
are respectively fixed using URLEncoder.encode() and File.getCanonicalFile()

There are other formatting and minor no functional changes.

Remains not fixed issues related with possible SQL injections that I'll possibly
look at later...
------------------------------------------------------------------------

Modified:
    ofbiz/branches/release16.11/   (props changed)
    
ofbiz/branches/release16.11/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java
    
ofbiz/branches/release16.11/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

Propchange: ofbiz/branches/release16.11/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Nov  8 21:00:58 2017
@@ -10,5 +10,5 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801318-1801319,1801336,1801340,1801346,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814501,1814591
+/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801318-1801319,1801336,1801340,1801346,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814501,1814591,1814642,1814644
 
/ofbiz/trunk:1770481,1770490,1770540,1771440,1771448,1771516,1771935,1772346,1772880,1774772,1775441,1779724,1780659,1781109,1781125,1781979,1782498,1782520

Modified: 
ofbiz/branches/release16.11/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java
URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release16.11/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java?rev=1814646&r1=1814645&r2=1814646&view=diff
==============================================================================
--- 
ofbiz/branches/release16.11/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java
 (original)
+++ 
ofbiz/branches/release16.11/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java
 Wed Nov  8 21:00:58 2017
@@ -18,6 +18,8 @@
  
*******************************************************************************/
 package org.apache.ofbiz.marketing.tracking;
 
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
 import java.sql.Timestamp;
 import java.util.LinkedList;
 import java.util.List;
@@ -243,7 +245,12 @@ public class TrackingCodeEvents {
 
         // if site id exist in cookies then it is not required to create it, 
if exist with different site then create it
         int siteIdCookieAge = (60 * 60 * 24 * 365); // should this be 
configurable?
-        String siteId = request.getParameter("siteId");
+        String siteId = null;
+        try {
+            siteId = URLEncoder.encode(request.getParameter("siteId"), 
"UTF-8");
+        } catch (UnsupportedEncodingException e) {
+            Debug.logError(e, "Error while saving TrackingCodeVisit", module);
+        }
         if (UtilValidate.isNotEmpty(siteId)) {
             String visitorSiteIdCookieName = "Ofbiz.TKCD.SiteId";
             String visitorSiteId = null;
@@ -260,13 +267,13 @@ public class TrackingCodeEvents {
 
             if (visitorSiteId == null || (visitorSiteId != null && 
!visitorSiteId.equals(siteId))) {
                 // if trackingCode.siteId is  not null  write a trackable 
cookie with name in the form: Ofbiz.TKCSiteId and timeout will be 60 * 60 * 24 
* 365
-                Cookie siteIdCookie = new Cookie("Ofbiz.TKCD.SiteId" ,siteId);
+                Cookie siteIdCookie = new Cookie("Ofbiz.TKCD.SiteId", siteId);
                 siteIdCookie.setMaxAge(siteIdCookieAge);
                 siteIdCookie.setPath("/");
                 if (cookieDomain.length() > 0) 
siteIdCookie.setDomain(cookieDomain);
                     response.addCookie(siteIdCookie);
                 // if trackingCode.siteId is  not null  write a trackable 
cookie with name in the form: Ofbiz.TKCSiteId and timeout will be 60 * 60 * 24 
* 365
-                Cookie updatedTimeStampCookie = new 
Cookie("Ofbiz.TKCD.UpdatedTimeStamp" ,UtilDateTime.nowTimestamp().toString());
+                Cookie updatedTimeStampCookie = new 
Cookie("Ofbiz.TKCD.UpdatedTimeStamp", UtilDateTime.nowTimestamp().toString());
                 updatedTimeStampCookie.setMaxAge(siteIdCookieAge);
                 updatedTimeStampCookie.setPath("/");
                 if (cookieDomain.length() > 0) 
updatedTimeStampCookie.setDomain(cookieDomain);
@@ -285,7 +292,7 @@ public class TrackingCodeEvents {
         String prodCatalogId = trackingCode.getString("prodCatalogId");
         if (UtilValidate.isNotEmpty(prodCatalogId)) {
             session.setAttribute("CURRENT_CATALOG_ID", prodCatalogId);
-            CategoryWorker.setTrail(request, new LinkedList());
+            CategoryWorker.setTrail(request, new LinkedList<String>());
         }
 
         // if forward/redirect is needed, do a response.sendRedirect and 
return null to tell the control servlet to not do any other requests/views

Modified: 
ofbiz/branches/release16.11/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release16.11/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java?rev=1814646&r1=1814645&r2=1814646&view=diff
==============================================================================
--- 
ofbiz/branches/release16.11/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
 (original)
+++ 
ofbiz/branches/release16.11/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
 Wed Nov  8 21:00:58 2017
@@ -378,7 +378,7 @@ public class FrameImage {
             File file = new File(imageServerPath + "/preview/" 
+"/previewImage.jpg");
             file.delete();
             // Image Frame
-            BufferedImage bufImg1 = ImageIO.read(new File(imageServerPath + 
"/" + productId + "/" + imageName));
+            BufferedImage bufImg1 = ImageIO.read(new File(imageServerPath + 
"/" + productId + "/" + imageName).getCanonicalFile());
             BufferedImage bufImg2 = ImageIO.read(new File(imageServerPath + 
"/frame/" + frameImageName));
             
             int bufImgType;
@@ -436,10 +436,10 @@ public class FrameImage {
         return "success";
     }
     
-    public static String deleteFrameImage(HttpServletRequest request, 
HttpServletResponse response) {
+    public static String deleteFrameImage(HttpServletRequest request, 
HttpServletResponse response) throws IOException {
         Map<String, ? extends Object> context = 
UtilGenerics.checkMap(request.getParameterMap());
         String imageServerPath = 
FlexibleStringExpander.expandString(EntityUtilProperties.getPropertyValue("catalog",
 "image.management.path", (Delegator) context.get("delegator")), context);
-        File file = new File(imageServerPath + "/preview/" + 
"/previewImage.jpg");
+        File file = new File(imageServerPath + "/preview/" + 
"/previewImage.jpg").getCanonicalFile();
         if (file.exists()) {
             file.delete();
         }

Reply via email to