[
https://issues.apache.org/jira/browse/OFBIZ-9633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dennis Balkir updated OFBIZ-9633:
---------------------------------
Attachment: OFBIZ-9633_org.apache.ofbiz.common.qrcode_bugfixes.patch
- Diamond Operators fixed
class QRCodeEvents:
- Line 51: removed unnecessary casting from {{HttpServletRequest}} to
{{HttpServletRequest}}
- Line 76: removed unnecessary nullcheck
class QRCodeServices:
- Line 77, 79: made parameters private to prevent vulnerability and external
code violation
- Line 75: made {{defaultLogoImage}} a final parameter
- refactored the declaration of {{defaultLogoImage}} so that it can be made a
final parameter
- Line 258: added a default Locale to {{toLowerCase}}
> [FB] Package org.apache.ofbiz.common.qrcode
> -------------------------------------------
>
> Key: OFBIZ-9633
> URL: https://issues.apache.org/jira/browse/OFBIZ-9633
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Dennis Balkir
> Priority: Minor
> Attachments: OFBIZ-9633_org.apache.ofbiz.common.qrcode_bugfixes.patch
>
>
> - QRCodeEvents.java:76, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of mimeType, which is known to be non-null in
> org.apache.ofbiz.common.qrcode.QRCodeEvents.serveQRCodeImage(HttpServletRequest,
> HttpServletResponse)
> This method contains a redundant check of a known non-null value against the
> constant null.
> - QRCodeServices.java:77, MS_PKGPROTECT
> MS: org.apache.ofbiz.common.qrcode.QRCodeServices.FORMAT_NAMES should be
> package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> - QRCodeServices.java:79, MS_MUTABLE_COLLECTION_PKGPROTECT
> Field is a mutable collection which should be package protected
> A mutable collection instance is assigned to a final static field, thus can
> be changed by malicious code or by accident from another package. The field
> could be made package protected to avoid this vulnerability. Alternatively
> you may wrap this field into Collections.unmodifiableSet/List/Map/etc. to
> avoid this vulnerability.
> - QRCodeServices.java:93, MS_SHOULD_BE_REFACTORED_TO_BE_FINAL
> MS: org.apache.ofbiz.common.qrcode.QRCodeServices.defaultLogoImage isn't
> final but should be refactored to be so
> This static field public but not final, and could be changed by malicious
> code or by accident from another package. The field could be made final to
> avoid this vulnerability. However, the static initializer contains more than
> one write to the field, so doing so will require some refactoring.
> - QRCodeServices.java:252, DM_CONVERT_CASE
> Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in
> org.apache.ofbiz.common.qrcode.QRCodeServices.toBufferedImage(BitMatrix,
> String)
> A String is being converted to upper or lowercase, using the platform's
> default encoding. This may result in improper conversions when used with
> international characters. Use the
> String.toUpperCase( Locale l )
> String.toLowerCase( Locale l )
> versions instead.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
