ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis Balkir (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (OFBIZ-9633) [FB] Package org.apache.ofbiz.common.qrcode
Date Fri, 25 Aug 2017 13:31:00 GMT

     [ https://issues.apache.org/jira/browse/OFBIZ-9633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Dennis Balkir updated OFBIZ-9633:
    Attachment: OFBIZ-9633_org.apache.ofbiz.common.qrcode_bugfixes.patch

- Diamond Operators fixed

class QRCodeEvents:
- Line 51: removed unnecessary casting from {{HttpServletRequest}} to {{HttpServletRequest}}
- Line 76: removed unnecessary nullcheck

class QRCodeServices:
- Line 77, 79: made parameters private to prevent vulnerability and external code violation
- Line 75: made {{defaultLogoImage}} a final parameter
- refactored the declaration of {{defaultLogoImage}} so that it can be made a final parameter
- Line 258: added a default Locale to {{toLowerCase}}

> [FB] Package org.apache.ofbiz.common.qrcode
> -------------------------------------------
>                 Key: OFBIZ-9633
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9633
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Dennis Balkir
>            Priority: Minor
>         Attachments: OFBIZ-9633_org.apache.ofbiz.common.qrcode_bugfixes.patch
> RCN: Redundant nullcheck of mimeType, which is known to be non-null in org.apache.ofbiz.common.qrcode.QRCodeEvents.serveQRCodeImage(HttpServletRequest,
> This method contains a redundant check of a known non-null value against the constant
> - QRCodeServices.java:77, MS_PKGPROTECT
> MS: org.apache.ofbiz.common.qrcode.QRCodeServices.FORMAT_NAMES should be package protected
> A mutable static field could be changed by malicious code or by accident. The field could
be made package protected to avoid this vulnerability.
> Field is a mutable collection which should be package protected
> A mutable collection instance is assigned to a final static field, thus can be changed
by malicious code or by accident from another package. The field could be made package protected
to avoid this vulnerability. Alternatively you may wrap this field into Collections.unmodifiableSet/List/Map/etc.
to avoid this vulnerability.
> MS: org.apache.ofbiz.common.qrcode.QRCodeServices.defaultLogoImage isn't final but should
be refactored to be so
> This static field public but not final, and could be changed by malicious code or by
accident from another package. The field could be made final to avoid this vulnerability.
However, the static initializer contains more than one write to the field, so doing so will
require some refactoring.
> - QRCodeServices.java:252, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.common.qrcode.QRCodeServices.toBufferedImage(BitMatrix,
> A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.

This message was sent by Atlassian JIRA

View raw message