[
https://issues.apache.org/jira/browse/OFBIZ-6973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-6973.
----------------------------------
Resolution: Fixed
Fix Version/s: 15.12.01
Upcoming Branch
14.12.01
Thanks Pascal,
Well spotted!
I fixed all possible such occurrences (ie when encoderType is used), in
trunk r1737440
R15.12 r1737441
R14.12 r1737442 (conflicts handled by hand:
ProductConfigItemContentWrapper.java and CategoryContentWrapper.java have no
cacheKey)
Older versions are not concerned
> Flaw in content wrapper cache handling with encoderType
> -------------------------------------------------------
>
> Key: OFBIZ-6973
> URL: https://issues.apache.org/jira/browse/OFBIZ-6973
> Project: OFBiz
> Issue Type: Bug
> Components: ALL APPLICATIONS
> Affects Versions: Release Branch 14.12
> Reporter: P Proulx
> Assignee: Jacques Le Roux
> Fix For: 14.12.01, Upcoming Branch, 15.12.01
>
>
> In Ofbiz 14.12 branch there is a flaw in the patches added in ticket
> https://issues.apache.org/jira/browse/OFBIZ-6669
> In ProductContentWrapper#getProductContentAsText and all similar content
> wrappers using a cache, the cacheKey does not include the new encoderType:
> {code}
> String cacheKey = productContentTypeId + SEPARATOR + locale +
> SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId");
> {code}
> This makes it possible for subsequent calls on the same wrapper using
> different encoderTypes to return content having the wrong encoding and create
> potential security flaws.
> The key should include the encoderType:
> {code}
> String cacheKey = productContentTypeId + SEPARATOR + locale +
> SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId") + SEPARATOR +
> encoderType;
> {code}
> I leave you to find all the occurrences.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
