[ https://issues.apache.org/jira/browse/OFBIZ-6973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux reassigned OFBIZ-6973: -------------------------------------- Assignee: Jacques Le Roux > Flaw in content wrapper cache handling with encoderType > ------------------------------------------------------- > > Key: OFBIZ-6973 > URL: https://issues.apache.org/jira/browse/OFBIZ-6973 > Project: OFBiz > Issue Type: Bug > Components: ALL APPLICATIONS > Affects Versions: Release Branch 14.12 > Reporter: P Proulx > Assignee: Jacques Le Roux > > In Ofbiz 14.12 branch there is a flaw in the patches added in ticket > https://issues.apache.org/jira/browse/OFBIZ-6669 > In ProductContentWrapper#getProductContentAsText and all similar content > wrappers using a cache, the cacheKey does not include the new encoderType: > {code} > String cacheKey = productContentTypeId + SEPARATOR + locale + > SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId"); > {code} > This makes it possible for subsequent calls on the same wrapper using > different encoderTypes to return content having the wrong encoding and create > potential security flaws. > The key should include the encoderType: > {code} > String cacheKey = productContentTypeId + SEPARATOR + locale + > SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId") + SEPARATOR + > encoderType; > {code} > I leave you to find all the occurrences. -- This message was sent by Atlassian JIRA (v6.3.4#6332)