P Proulx created OFBIZ-6973:
-------------------------------
Summary: Flaw in content wrapper cache handling with encoderType
Key: OFBIZ-6973
URL: https://issues.apache.org/jira/browse/OFBIZ-6973
Project: OFBiz
Issue Type: Bug
Components: ALL APPLICATIONS
Affects Versions: Release Branch 14.12
Reporter: P Proulx
In Ofbiz 14.12 branch there is a flaw in the patches added in ticket
https://issues.apache.org/jira/browse/OFBIZ-6669
In ProductContentWrapper#getProductContentAsText and all similar content
wrappers using a cache, the cacheKey does not include the new encoderType:
{{{
String cacheKey = productContentTypeId + SEPARATOR + locale +
SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId");
}}}
This makes it possible for subsequent calls on the same wrapper using different
encoderTypes to return content having the wrong encoding and create potential
security flaws.
They should enclude the encoderType:
{{{
String cacheKey = productContentTypeId + SEPARATOR + locale +
SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId") + SEPARATOR +
encoderType;
}}}
I leave you to find all the occurrences.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
