[jira] [Assigned] (OFBIZ-9637) [FB] Package org.apache.ofbiz.securityext.login

Sat, 07 Oct 2017 07:14:45 -0700 

     [ 
https://issues.apache.org/jira/browse/OFBIZ-9637?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Brohl reassigned OFBIZ-9637:
------------------------------------

    Assignee: Michael Brohl

> [FB] Package org.apache.ofbiz.securityext.login
> -----------------------------------------------
>
>                 Key: OFBIZ-9637
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9637
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: securityext
>    Affects Versions: Trunk
>            Reporter: Dennis Balkir
>            Assignee: Michael Brohl
>            Priority: Minor
>         Attachments: OFBIZ-9637_org.apache.ofbiz.securityext_bugfixes.patch
>
>
> - LoginEvents.java:88, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in 
> org.apache.ofbiz.securityext.login.LoginEvents.saveEntryParams(HttpServletRequest,
>  HttpServletResponse)
> A String is being converted to upper or lowercase, using the platform's 
> default encoding. This may result in improper conversions when used with 
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> - LoginEvents.java:162, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in 
> org.apache.ofbiz.securityext.login.LoginEvents.showPasswordHint(HttpServletRequest,
>  HttpServletResponse)
> A String is being converted to upper or lowercase, using the platform's 
> default encoding. This may result in improper conversions when used with 
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> - LoginEvents.java:222, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in 
> org.apache.ofbiz.securityext.login.LoginEvents.emailPassword(HttpServletRequest,
>  HttpServletResponse)
> A String is being converted to upper or lowercase, using the platform's 
> default encoding. This may result in improper conversions when used with 
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> - LoginEvents.java:417, DMI_INVOKING_TOSTRING_ON_ARRAY
> USELESS_STRING: Invocation of toString on cookies in 
> org.apache.ofbiz.securityext.login.LoginEvents.getUsername(HttpServletRequest)
> The code invokes toString on an array, which will generate a fairly useless 
> result such as [C@16f0472. Consider using Arrays.toString to convert the 
> array into a readable String that gives the contents of the array. See 
> Programming Puzzlers, chapter 3, puzzle 12.
> - LoginEvents.java:437, HRS_REQUEST_PARAMETER_TO_COOKIE
> HRS: HTTP cookie formed from untrusted input in 
> org.apache.ofbiz.securityext.login.LoginEvents.setUsername(HttpServletRequest,
>  HttpServletResponse)
> This code constructs an HTTP Cookie using an untrusted HTTP parameter. If 
> this cookie is added to an HTTP response, it will allow a HTTP response 
> splitting vulnerability. See 
> http://en.wikipedia.org/wiki/HTTP_response_splitting for more information.
> FindBugs looks only for the most blatant, obvious cases of HTTP response 
> splitting. If FindBugs found any, you almost certainly have more 
> vulnerabilities that FindBugs doesn't report. If you are concerned about HTTP 
> response splitting, you should seriously consider using a commercial static 
> analysis or pen-testing tool.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to