ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Brohl (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (OFBIZ-9637) [FB] Package org.apache.ofbiz.securityext.login
Date Sat, 07 Oct 2017 14:21:01 GMT

     [ https://issues.apache.org/jira/browse/OFBIZ-9637?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Michael Brohl closed OFBIZ-9637.
--------------------------------
       Resolution: Implemented
    Fix Version/s: Upcoming Release

Thanks Dennis,

your patch is in trunk r1811430.


> [FB] Package org.apache.ofbiz.securityext.login
> -----------------------------------------------
>
>                 Key: OFBIZ-9637
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9637
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: securityext
>    Affects Versions: Trunk
>            Reporter: Dennis Balkir
>            Assignee: Michael Brohl
>            Priority: Minor
>             Fix For: Upcoming Release
>
>         Attachments: OFBIZ-9637_org.apache.ofbiz.securityext_bugfixes.patch
>
>
> - LoginEvents.java:88, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.securityext.login.LoginEvents.saveEntryParams(HttpServletRequest,
HttpServletResponse)
> A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> - LoginEvents.java:162, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.securityext.login.LoginEvents.showPasswordHint(HttpServletRequest,
HttpServletResponse)
> A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> - LoginEvents.java:222, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.securityext.login.LoginEvents.emailPassword(HttpServletRequest,
HttpServletResponse)
> A String is being converted to upper or lowercase, using the platform's default encoding.
This may result in improper conversions when used with international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
> - LoginEvents.java:417, DMI_INVOKING_TOSTRING_ON_ARRAY
> USELESS_STRING: Invocation of toString on cookies in org.apache.ofbiz.securityext.login.LoginEvents.getUsername(HttpServletRequest)
> The code invokes toString on an array, which will generate a fairly useless result such
as [C@16f0472. Consider using Arrays.toString to convert the array into a readable String
that gives the contents of the array. See Programming Puzzlers, chapter 3, puzzle 12.
> - LoginEvents.java:437, HRS_REQUEST_PARAMETER_TO_COOKIE
> HRS: HTTP cookie formed from untrusted input in org.apache.ofbiz.securityext.login.LoginEvents.setUsername(HttpServletRequest,
HttpServletResponse)
> This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this cookie
is added to an HTTP response, it will allow a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting
for more information.
> FindBugs looks only for the most blatant, obvious cases of HTTP response splitting. If
FindBugs found any, you almost certainly have more vulnerabilities that FindBugs doesn't report.
If you are concerned about HTTP response splitting, you should seriously consider using a
commercial static analysis or pen-testing tool.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message