[ https://issues.apache.org/jira/browse/OFBIZ-9637?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Brohl reassigned OFBIZ-9637: ------------------------------------ Assignee: Michael Brohl > [FB] Package org.apache.ofbiz.securityext.login > ----------------------------------------------- > > Key: OFBIZ-9637 > URL: https://issues.apache.org/jira/browse/OFBIZ-9637 > Project: OFBiz > Issue Type: Sub-task > Components: securityext > Affects Versions: Trunk > Reporter: Dennis Balkir > Assignee: Michael Brohl > Priority: Minor > Attachments: OFBIZ-9637_org.apache.ofbiz.securityext_bugfixes.patch > > > - LoginEvents.java:88, DM_CONVERT_CASE > Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in > org.apache.ofbiz.securityext.login.LoginEvents.saveEntryParams(HttpServletRequest, > HttpServletResponse) > A String is being converted to upper or lowercase, using the platform's > default encoding. This may result in improper conversions when used with > international characters. Use the > String.toUpperCase( Locale l ) > String.toLowerCase( Locale l ) > versions instead. > - LoginEvents.java:162, DM_CONVERT_CASE > Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in > org.apache.ofbiz.securityext.login.LoginEvents.showPasswordHint(HttpServletRequest, > HttpServletResponse) > A String is being converted to upper or lowercase, using the platform's > default encoding. This may result in improper conversions when used with > international characters. Use the > String.toUpperCase( Locale l ) > String.toLowerCase( Locale l ) > versions instead. > - LoginEvents.java:222, DM_CONVERT_CASE > Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in > org.apache.ofbiz.securityext.login.LoginEvents.emailPassword(HttpServletRequest, > HttpServletResponse) > A String is being converted to upper or lowercase, using the platform's > default encoding. This may result in improper conversions when used with > international characters. Use the > String.toUpperCase( Locale l ) > String.toLowerCase( Locale l ) > versions instead. > - LoginEvents.java:417, DMI_INVOKING_TOSTRING_ON_ARRAY > USELESS_STRING: Invocation of toString on cookies in > org.apache.ofbiz.securityext.login.LoginEvents.getUsername(HttpServletRequest) > The code invokes toString on an array, which will generate a fairly useless > result such as [C@16f0472. Consider using Arrays.toString to convert the > array into a readable String that gives the contents of the array. See > Programming Puzzlers, chapter 3, puzzle 12. > - LoginEvents.java:437, HRS_REQUEST_PARAMETER_TO_COOKIE > HRS: HTTP cookie formed from untrusted input in > org.apache.ofbiz.securityext.login.LoginEvents.setUsername(HttpServletRequest, > HttpServletResponse) > This code constructs an HTTP Cookie using an untrusted HTTP parameter. If > this cookie is added to an HTTP response, it will allow a HTTP response > splitting vulnerability. See > http://en.wikipedia.org/wiki/HTTP_response_splitting for more information. > FindBugs looks only for the most blatant, obvious cases of HTTP response > splitting. If FindBugs found any, you almost certainly have more > vulnerabilities that FindBugs doesn't report. If you are concerned about HTTP > response splitting, you should seriously consider using a commercial static > analysis or pen-testing tool. -- This message was sent by Atlassian JIRA (v6.4.14#64029)