[jira] [Closed] (OFBIZ-9633) [FB] Package org.apache.ofbiz.common.qrcode

Sat, 07 Oct 2017 07:12:30 -0700 

     [ 
https://issues.apache.org/jira/browse/OFBIZ-9633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Brohl closed OFBIZ-9633.
--------------------------------
       Resolution: Implemented
    Fix Version/s: Upcoming Release

Thanks Dennis,

your patch is in trunk r1811427. 

> [FB] Package org.apache.ofbiz.common.qrcode
> -------------------------------------------
>
>                 Key: OFBIZ-9633
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9633
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Dennis Balkir
>            Assignee: Michael Brohl
>            Priority: Minor
>             Fix For: Upcoming Release
>
>         Attachments: OFBIZ-9633_org.apache.ofbiz.common.qrcode_bugfixes.patch
>
>
> - QRCodeEvents.java:76, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of mimeType, which is known to be non-null in 
> org.apache.ofbiz.common.qrcode.QRCodeEvents.serveQRCodeImage(HttpServletRequest,
>  HttpServletResponse)
> This method contains a redundant check of a known non-null value against the 
> constant null.
> - QRCodeServices.java:77, MS_PKGPROTECT
> MS: org.apache.ofbiz.common.qrcode.QRCodeServices.FORMAT_NAMES should be 
> package protected
> A mutable static field could be changed by malicious code or by accident. The 
> field could be made package protected to avoid this vulnerability.
> - QRCodeServices.java:79, MS_MUTABLE_COLLECTION_PKGPROTECT
> Field is a mutable collection which should be package protected
> A mutable collection instance is assigned to a final static field, thus can 
> be changed by malicious code or by accident from another package. The field 
> could be made package protected to avoid this vulnerability. Alternatively 
> you may wrap this field into Collections.unmodifiableSet/List/Map/etc. to 
> avoid this vulnerability.
> - QRCodeServices.java:93, MS_SHOULD_BE_REFACTORED_TO_BE_FINAL
> MS: org.apache.ofbiz.common.qrcode.QRCodeServices.defaultLogoImage isn't 
> final but should be refactored to be so
> This static field public but not final, and could be changed by malicious 
> code or by accident from another package. The field could be made final to 
> avoid this vulnerability. However, the static initializer contains more than 
> one write to the field, so doing so will require some refactoring.
> - QRCodeServices.java:252, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in 
> org.apache.ofbiz.common.qrcode.QRCodeServices.toBufferedImage(BitMatrix, 
> String)
> A String is being converted to upper or lowercase, using the platform's 
> default encoding. This may result in improper conversions when used with 
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to