[jira] [Comment Edited] (OFBIZ-6973) Flaw in content wrapper cache handling with encoderType

Fri, 01 Apr 2016 20:20:51 -0700 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-6973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15222675#comment-15222675
 ] 

Wai edited comment on OFBIZ-6973 at 4/2/16 3:19 AM:
----------------------------------------------------

Since this cache is a static variable in ProductPromoContentWrapper, 
ProductContentWrapper
ProductConfigItemContentWrapper, CategoryContentWrapper, OrderContentWrapper. I 
think it would be useful to include the tenantId as well.  Since in multitenant 
mode all tenants would be using the same cache.

Come to think of it, this should be applied to all classes that define a static 
UtilCache.

Pascal Proulx, Jacque Leroux:
Should I create a report for this?



was (Author: wt):
Since this cache is a static variable in ProductPromoContentWrapper, 
ProductContentWrapper
ProductConfigItemContentWrapper, CategoryContentWrapper, OrderContentWrapper. I 
think it would be useful to include the tenantId as well.  Since in multitenant 
mode all tenants would be using the same cache.

Come to think of it, this should be applied to all classes that define a static 
UtilCache.

Jacque Leroux:
Should I create a report for this?


> Flaw in content wrapper cache handling with encoderType
> -------------------------------------------------------
>
>                 Key: OFBIZ-6973
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6973
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ALL APPLICATIONS
>    Affects Versions: Release Branch 14.12
>            Reporter: P Proulx
>            Assignee: Jacques Le Roux
>             Fix For: 14.12.01, Upcoming Branch, 15.12.01
>
>
> In Ofbiz 14.12 branch there is a flaw in the patches added in ticket
> https://issues.apache.org/jira/browse/OFBIZ-6669
> In ProductContentWrapper#getProductContentAsText and all similar content 
> wrappers using a cache, the cacheKey does not include the new encoderType:
> {code}
>             String cacheKey = productContentTypeId + SEPARATOR + locale + 
> SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId");
> {code}
> This makes it possible for subsequent calls on the same wrapper using 
> different encoderTypes to return content having the wrong encoding and create 
> potential security flaws.
> The key should include the encoderType:
> {code}
>                 String cacheKey = productContentTypeId + SEPARATOR + locale + 
> SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId")  + SEPARATOR + 
> encoderType;
> {code}
> I leave you to find all the occurrences.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to