ofbiz-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-6973) Flaw in content wrapper cache handling with encoderType
Date Sat, 02 Apr 2016 09:24:25 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-6973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15222817#comment-15222817
] 

Jacques Le Roux commented on OFBIZ-6973:
----------------------------------------

Hi Wai,

This is a very interesting remark, please open a new Jira, we need other bug fixes indeed!

> Flaw in content wrapper cache handling with encoderType
> -------------------------------------------------------
>
>                 Key: OFBIZ-6973
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6973
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ALL APPLICATIONS
>    Affects Versions: Release Branch 14.12
>            Reporter: P Proulx
>            Assignee: Jacques Le Roux
>             Fix For: 14.12.01, Upcoming Branch, 15.12.01
>
>
> In Ofbiz 14.12 branch there is a flaw in the patches added in ticket
> https://issues.apache.org/jira/browse/OFBIZ-6669
> In ProductContentWrapper#getProductContentAsText and all similar content wrappers using
a cache, the cacheKey does not include the new encoderType:
> {code}
>             String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR +
mimeTypeId + SEPARATOR + product.get("productId");
> {code}
> This makes it possible for subsequent calls on the same wrapper using different encoderTypes
to return content having the wrong encoding and create potential security flaws.
> The key should include the encoderType:
> {code}
>                 String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR
+ mimeTypeId + SEPARATOR + product.get("productId")  + SEPARATOR + encoderType;
> {code}
> I leave you to find all the occurrences.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message