Author: jleroux Date: Fri Apr 1 20:35:04 2016 New Revision: 1737442 URL: http://svn.apache.org/viewvc?rev=1737442&view=rev Log: "Applied fix from trunk for revision: 1737440" (conflicts handled by hand: ProductConfigItemContentWrapper.java and CategoryContentWrapper.java have no cacheKey) ------------------------------------------------------------------------ r1737440 | jleroux | 2016-04-01 22:27:13 +0200 (ven. 01 avr. 2016) | 11 lignes
Fixes a possible security issue reported by Pascal Proulx at https://issues.apache.org/jira/browse/OFBIZ-6973 : "Flaw in content wrapper cache handling with encoderType" In ProductContentWrapper#getProductContentAsText and all similar content wrappers using a cache, the cacheKey does not include the new encoderType: String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId"); This makes it possible for subsequent calls on the same wrapper using different encoderTypes to return content having the wrong encoding and create potential security flaws. The key should include the encoderType: String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId") + SEPARATOR + encoderType; jleroux: I fixed all possible such occurrences (ie when encoderType is used) ------------------------------------------------------------------------ Modified: ofbiz/branches/release14.12/ (props changed) ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/order/OrderContentWrapper.java ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductContentWrapper.java ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductPromoContentWrapper.java Propchange: ofbiz/branches/release14.12/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Fri Apr 1 20:35:04 2016 @@ -8,4 +8,4 @@ /ofbiz/branches/json-integration-refactoring:1634077-1635900 /ofbiz/branches/multitenant20100310:921280-927264 /ofbiz/branches/release13.07:1547657 -/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207, 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065 77,1706589,1706591,1706593,1706694,1707837,1707857,1708274,1708341,1708742,1708930,1709117,1710178,1710348,1711513,1712971,1714244,1714410,1714415,1714571,1714657,1715477-1715478,1715485,1715501,1716319,1717058,1717180,1717682,1717710,1717760,1718023,1718109,1719094,1719872,1720883,1721067,1721093,1721625,1722712,1723007,1723248,1724402,1724566,1724763,1724916,1724918,1724925,1724930,1724940,1724943,1724946,1724951,1724957,1724978,1725217,1725257,1725561,1725574,1726388,1726493,1726828,1728398,1729005,1729609,1729809,1730035,1730456,1730735-1730736,1730882,1730889,1731359,1731382,1731396,1732721,1733951,1733956,1734246,1734269,1734276,1734912,1734918,1735244,1735385,1735569,1735731,1735734,1735750,1735773,1736083,1736087,1736272,1736434,1736851,1736854,1737156 +/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207, 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065 77,1706589,1706591,1706593,1706694,1707837,1707857,1708274,1708341,1708742,1708930,1709117,1710178,1710348,1711513,1712971,1714244,1714410,1714415,1714571,1714657,1715477-1715478,1715485,1715501,1716319,1717058,1717180,1717682,1717710,1717760,1718023,1718109,1719094,1719872,1720883,1721067,1721093,1721625,1722712,1723007,1723248,1724402,1724566,1724763,1724916,1724918,1724925,1724930,1724940,1724943,1724946,1724951,1724957,1724978,1725217,1725257,1725561,1725574,1726388,1726493,1726828,1728398,1729005,1729609,1729809,1730035,1730456,1730735-1730736,1730882,1730889,1731359,1731382,1731396,1732721,1733951,1733956,1734246,1734269,1734276,1734912,1734918,1735244,1735385,1735569,1735731,1735734,1735750,1735773,1736083,1736087,1736272,1736434,1736851,1736854,1737156,1737440 Modified: ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/order/OrderContentWrapper.java URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/order/OrderContentWrapper.java?rev=1737442&r1=1737441&r2=1737442&view=diff ============================================================================== --- ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/order/OrderContentWrapper.java (original) +++ ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/order/OrderContentWrapper.java Fri Apr 1 20:35:04 2016 @@ -97,7 +97,7 @@ public class OrderContentWrapper impleme String orderItemSeqId = (order.getEntityName().equals("OrderItem")? order.getString("orderItemSeqId"): "_NA_"); - String cacheKey = orderContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + order.get("orderId") + SEPARATOR + orderItemSeqId; + String cacheKey = orderContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + order.get("orderId") + SEPARATOR + orderItemSeqId + SEPARATOR + encoderType; try { String cachedValue = orderContentCache.get(cacheKey); if (cachedValue != null) { Modified: ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductContentWrapper.java URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductContentWrapper.java?rev=1737442&r1=1737441&r2=1737442&view=diff ============================================================================== --- ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductContentWrapper.java (original) +++ ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductContentWrapper.java Fri Apr 1 20:35:04 2016 @@ -108,7 +108,7 @@ public class ProductContentWrapper imple /* caching: there is one cache created, "product.content" Each product's content is cached with a key of * contentTypeId::locale::mimeType::productId, or whatever the SEPARATOR is defined above to be. */ - String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId"); + String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId") + SEPARATOR + encoderType; try { String cachedValue = productContentCache.get(cacheKey); if (cachedValue != null) { Modified: ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductPromoContentWrapper.java URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductPromoContentWrapper.java?rev=1737442&r1=1737441&r2=1737442&view=diff ============================================================================== --- ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductPromoContentWrapper.java (original) +++ ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductPromoContentWrapper.java Fri Apr 1 20:35:04 2016 @@ -112,7 +112,7 @@ public class ProductPromoContentWrapper /* caching: there is one cache created, "product.promo.content" Each productPromo's content is cached with a key of * contentTypeId::locale::mimeType::productPromoId, or whatever the SEPARATOR is defined above to be. */ - String cacheKey = productPromoContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + productPromo.get("productPromoId"); + String cacheKey = productPromoContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + productPromo.get("productPromoId") + SEPARATOR + encoderType; try { String cachedValue = productPromoContentCache.get(cacheKey); if (cachedValue != null) {
