[
https://issues.apache.org/jira/browse/OFBIZ-9815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Julian Leichert updated OFBIZ-9815:
-----------------------------------
Attachment: OFBIZ-9815_org.apache.ofbiz.content.webapp.ftl_bugfixes.patch
class CheckPermissionTransform
- line 56 : made field package protected to prevent changes by malicious code
class EditRenderSubContentCacheTransform
- line 52, 53 : made field package protected to prevent changes by malicious
code
- line 162 : keySet to entrySet (better performance)
- line 171 : removed locale and used null as parameter instead (better
visibility)
class InjectNOdeTrailCsvTransform
- line 49, 50 : made field package protected to prevent changes by malicious
code
- line 139 : "" to '' in indexOf (better performance)
class LimitedSubContentCacheTransform
- line 59, 60 : made field package protected to prevent changes by malicious
code
- line 224 : removed locale and used null as parameter instead (better
visibility)
class LoopSubContentTransform
- line 56, 57 : made field package protected to prevent changes by malicious
code
class RenderContentAsText
- line 55, 56 : made field package protected to prevent changes by malicious
code
class RenderSubContentCacheTransform
- line 55 : made field package protected to prevent changes by malicious code
- line 185 : changed null to "" to prevent NPE
class TraverseSubContentCacheTransform
- line 52, 53 : made field package protected to prevent changes by malicious
code
- line 232 : contentIdStart = ""; in else to prevent NPE
class WrapSubContentCacheTransform
- line 52, 53 : made field package protected to prevent changes by malicious
code
- line 174 : removed locale (see above)
> [FB] Package org.apache.ofbiz.content.webapp.ftl
> ------------------------------------------------
>
> Key: OFBIZ-9815
> URL: https://issues.apache.org/jira/browse/OFBIZ-9815
> Project: OFBiz
> Issue Type: Sub-task
> Components: content
> Affects Versions: Trunk
> Reporter: Julian Leichert
> Priority: Minor
> Attachments:
> OFBIZ-9815_org.apache.ofbiz.content.webapp.ftl_bugfixes.patch
>
>
> CheckPermissionTransform.java:56, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.CheckPermissionTransform.saveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> CheckPermissionTransform.java:99, SIC_INNER_SHOULD_BE_STATIC_ANON
> - SIC: The class
> org.apache.ofbiz.content.webapp.ftl.CheckPermissionTransform$1 could be
> refactored into a named _static_ inner class
> This class is an inner class, but does not use its embedded reference to the
> object which created it. This reference makes the instances of the class
> larger, and may keep the reference to the creator object alive longer than
> necessary. If possible, the class should be made into a static inner class.
> Since anonymous inner classes cannot be marked as static, doing this will
> require refactoring the inner class so that it is a named inner class.
> EditRenderSubContentCacheTransform.java:52, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.EditRenderSubContentCacheTransform.saveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> EditRenderSubContentCacheTransform.java:131, SIC_INNER_SHOULD_BE_STATIC_ANON
> - SIC: The class
> org.apache.ofbiz.content.webapp.ftl.EditRenderSubContentCacheTransform$1
> could be refactored into a named _static_ inner class
> This class is an inner class, but does not use its embedded reference to the
> object which created it. This reference makes the instances of the class
> larger, and may keep the reference to the creator object alive longer than
> necessary. If possible, the class should be made into a static inner class.
> Since anonymous inner classes cannot be marked as static, doing this will
> require refactoring the inner class so that it is a named inner class.
> EditRenderSubContentCacheTransform.java:163, WMI_WRONG_MAP_ITERATOR
> - WMI:
> org.apache.ofbiz.content.webapp.ftl.EditRenderSubContentCacheTransform$1.close()
> makes inefficient use of keySet iterator instead of entrySet iterator
> This method accesses the value of a Map entry, using a key that was retrieved
> from a keySet iterator. It is more efficient to use an iterator on the
> entrySet of the map, to avoid the Map.get(key) lookup.
> EditRenderSubContentCacheTransform.java:171, NP_LOAD_OF_KNOWN_NULL_VALUE
> - NP: Load of known null value in
> org.apache.ofbiz.content.webapp.ftl.EditRenderSubContentCacheTransform$1.close()
> The variable referenced at this point is known to be null due to an earlier
> check against null. Although this is valid, it might be a mistake (perhaps
> you intended to refer to a different variable, or perhaps the earlier check
> to see if the variable is null should have been a check to see if it was
> non-null).
> EditRenderSubContentTransform.java:163, SIC_INNER_SHOULD_BE_STATIC_ANON
> - SIC: The class
> org.apache.ofbiz.content.webapp.ftl.EditRenderSubContentTransform$1 could be
> refactored into a named _static_ inner class
> This class is an inner class, but does not use its embedded reference to the
> object which created it. This reference makes the instances of the class
> larger, and may keep the reference to the creator object alive longer than
> necessary. If possible, the class should be made into a static inner class.
> Since anonymous inner classes cannot be marked as static, doing this will
> require refactoring the inner class so that it is a named inner class.
> InjectNodeTrailCsvTransform.java:49, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.InjectNodeTrailCsvTransform.saveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> InjectNodeTrailCsvTransform.java:50, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.InjectNodeTrailCsvTransform.removeKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> InjectNodeTrailCsvTransform.java:87, SIC_INNER_SHOULD_BE_STATIC_ANON
> - SIC: The class
> org.apache.ofbiz.content.webapp.ftl.InjectNodeTrailCsvTransform$1 could be
> refactored into a named _static_ inner class
> This class is an inner class, but does not use its embedded reference to the
> object which created it. This reference makes the instances of the class
> larger, and may keep the reference to the creator object alive longer than
> necessary. If possible, the class should be made into a static inner class.
> Since anonymous inner classes cannot be marked as static, doing this will
> require refactoring the inner class so that it is a named inner class.
> LimitedSubContentCacheTransform.java:59, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.LimitedSubContentCacheTransform.upSaveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> LimitedSubContentCacheTransform.java:60, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.LimitedSubContentCacheTransform.saveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> LimitedSubContentCacheTransform.java:156, SIC_INNER_SHOULD_BE_STATIC_ANON
> - SIC: The class
> org.apache.ofbiz.content.webapp.ftl.LimitedSubContentCacheTransform$1 could
> be refactored into a named _static_ inner class
> This class is an inner class, but does not use its embedded reference to the
> object which created it. This reference makes the instances of the class
> larger, and may keep the reference to the creator object alive longer than
> necessary. If possible, the class should be made into a static inner class.
> Since anonymous inner classes cannot be marked as static, doing this will
> require refactoring the inner class so that it is a named inner class.
> LimitedSubContentCacheTransform.java:226, DLS_DEAD_LOCAL_STORE
> - DLS: Dead store to locale in
> org.apache.ofbiz.content.webapp.ftl.LimitedSubContentCacheTransform$1.prepCtx(Delegator,
> Map, Environment, GenericValue)
> This instruction assigns a value to a local variable, but the value is not
> read or used in any subsequent instruction. Often, this indicates an error,
> because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local
> variables. Because FindBugs is a bytecode-based tool, there is no easy way to
> eliminate these false positives.
> LimitedSubContentCacheTransform.java:229, NP_LOAD_OF_KNOWN_NULL_VALUE
> - NP: Load of known null value in
> org.apache.ofbiz.content.webapp.ftl.LimitedSubContentCacheTransform$1.prepCtx(Delegator,
> Map, Environment, GenericValue)
> The variable referenced at this point is known to be null due to an earlier
> check against null. Although this is valid, it might be a mistake (perhaps
> you intended to refer to a different variable, or perhaps the earlier check
> to see if the variable is null should have been a check to see if it was
> non-null).
> LoopSubContentTransform.java:56, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.LoopSubContentTransform.saveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> LoopSubContentTransform.java:57, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.LoopSubContentTransform.removeKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> LoopSubContentTransform.java:189, SIC_INNER_SHOULD_BE_STATIC_ANON
> - SIC: The class
> org.apache.ofbiz.content.webapp.ftl.LoopSubContentTransform$1 could be
> refactored into a named _static_ inner class
> This class is an inner class, but does not use its embedded reference to the
> object which created it. This reference makes the instances of the class
> larger, and may keep the reference to the creator object alive longer than
> necessary. If possible, the class should be made into a static inner class.
> Since anonymous inner classes cannot be marked as static, doing this will
> require refactoring the inner class so that it is a named inner class.
> RenderContentAndSubContent.java:61, SIC_INNER_SHOULD_BE_STATIC_ANON
> - SIC: The class
> org.apache.ofbiz.content.webapp.ftl.RenderContentAndSubContent$1 could be
> refactored into a named _static_ inner class
> This class is an inner class, but does not use its embedded reference to the
> object which created it. This reference makes the instances of the class
> larger, and may keep the reference to the creator object alive longer than
> necessary. If possible, the class should be made into a static inner class.
> Since anonymous inner classes cannot be marked as static, doing this will
> require refactoring the inner class so that it is a named inner class.
> RenderContentAsText.java:55, MS_PKGPROTECT
> - MS: org.apache.ofbiz.content.webapp.ftl.RenderContentAsText.upSaveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> RenderContentAsText.java:56, MS_PKGPROTECT
> - MS: org.apache.ofbiz.content.webapp.ftl.RenderContentAsText.saveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> RenderContentAsText.java:84, SIC_INNER_SHOULD_BE_STATIC_ANON
> - SIC: The class org.apache.ofbiz.content.webapp.ftl.RenderContentAsText$1
> could be refactored into a named _static_ inner class
> This class is an inner class, but does not use its embedded reference to the
> object which created it. This reference makes the instances of the class
> larger, and may keep the reference to the creator object alive longer than
> necessary. If possible, the class should be made into a static inner class.
> Since anonymous inner classes cannot be marked as static, doing this will
> require refactoring the inner class so that it is a named inner class.
> RenderContentTransform.java:66, SIC_INNER_SHOULD_BE_STATIC_ANON
> - SIC: The class org.apache.ofbiz.content.webapp.ftl.RenderContentTransform$1
> could be refactored into a named _static_ inner class
> This class is an inner class, but does not use its embedded reference to the
> object which created it. This reference makes the instances of the class
> larger, and may keep the reference to the creator object alive longer than
> necessary. If possible, the class should be made into a static inner class.
> Since anonymous inner classes cannot be marked as static, doing this will
> require refactoring the inner class so that it is a named inner class.
> RenderSubContentAsText.java:51, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.RenderSubContentAsText.upSaveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> RenderSubContentAsText.java:52, MS_PKGPROTECT
> - MS: org.apache.ofbiz.content.webapp.ftl.RenderSubContentAsText.saveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> RenderSubContentAsText.java:83, SIC_INNER_SHOULD_BE_STATIC_ANON
> - SIC: The class org.apache.ofbiz.content.webapp.ftl.RenderSubContentAsText$1
> could be refactored into a named _static_ inner class
> This class is an inner class, but does not use its embedded reference to the
> object which created it. This reference makes the instances of the class
> larger, and may keep the reference to the creator object alive longer than
> necessary. If possible, the class should be made into a static inner class.
> Since anonymous inner classes cannot be marked as static, doing this will
> require refactoring the inner class so that it is a named inner class.
> RenderSubContentCacheTransform.java:55, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.RenderSubContentCacheTransform.upSaveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> RenderSubContentCacheTransform.java:113, SIC_INNER_SHOULD_BE_STATIC_ANON
> - SIC: The class
> org.apache.ofbiz.content.webapp.ftl.RenderSubContentCacheTransform$1 could be
> refactored into a named _static_ inner class
> This class is an inner class, but does not use its embedded reference to the
> object which created it. This reference makes the instances of the class
> larger, and may keep the reference to the creator object alive longer than
> necessary. If possible, the class should be made into a static inner class.
> Since anonymous inner classes cannot be marked as static, doing this will
> require refactoring the inner class so that it is a named inner class.
> RenderSubContentCacheTransform.java:198, NP_LOAD_OF_KNOWN_NULL_VALUE
> - NP: Load of known null value in
> org.apache.ofbiz.content.webapp.ftl.RenderSubContentCacheTransform$1.closeEditWrap(Writer,
> String)
> The variable referenced at this point is known to be null due to an earlier
> check against null. Although this is valid, it might be a mistake (perhaps
> you intended to refer to a different variable, or perhaps the earlier check
> to see if the variable is null should have been a check to see if it was
> non-null).
> RenderSubContentTransform.java:107, SIC_INNER_SHOULD_BE_STATIC_ANON
> - SIC: The class
> org.apache.ofbiz.content.webapp.ftl.RenderSubContentTransform$1 could be
> refactored into a named _static_ inner class
> This class is an inner class, but does not use its embedded reference to the
> object which created it. This reference makes the instances of the class
> larger, and may keep the reference to the creator object alive longer than
> necessary. If possible, the class should be made into a static inner class.
> Since anonymous inner classes cannot be marked as static, doing this will
> require refactoring the inner class so that it is a named inner class.
> RenderSubContentTransform.java:141, UCF_USELESS_CONTROL_FLOW
> - UCF: Useless control flow in
> org.apache.ofbiz.content.webapp.ftl.RenderSubContentTransform$1.renderSubContent()
> This method contains a useless control flow statement, where control flow
> continues onto the same place regardless of whether or not the branch is
> taken. For example, this is caused by having an empty statement block for an
> if statement:
> if (argv.length == 0) {
> // TODO: handle this case
> }
> TraverseSubContentCacheTransform.java:52, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.TraverseSubContentCacheTransform.upSaveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> TraverseSubContentCacheTransform.java:53, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.TraverseSubContentCacheTransform.saveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> TraverseSubContentCacheTransform.java:135, SIC_INNER_SHOULD_BE_STATIC_ANON
> - SIC: The class
> org.apache.ofbiz.content.webapp.ftl.TraverseSubContentCacheTransform$1 could
> be refactored into a named _static_ inner class
> This class is an inner class, but does not use its embedded reference to the
> object which created it. This reference makes the instances of the class
> larger, and may keep the reference to the creator object alive longer than
> necessary. If possible, the class should be made into a static inner class.
> Since anonymous inner classes cannot be marked as static, doing this will
> require refactoring the inner class so that it is a named inner class.
> TraverseSubContentCacheTransform.java:235, NP_NULL_ON_SOME_PATH
> - NP: Possible null pointer dereference of contentIdStart in
> org.apache.ofbiz.content.webapp.ftl.TraverseSubContentCacheTransform$1.populateContext(Map,
> Map)
> There is a branch of statement that, if executed, guarantees that a null
> value will be dereferenced, which would generate a NullPointerException when
> the code is executed. Of course, the problem might be that the branch or
> statement is infeasible and that the null pointer exception can't ever be
> executed; deciding that is beyond the ability of FindBugs.
> TraverseSubContentTransform.java:55, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.TraverseSubContentTransform.saveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> TraverseSubContentTransform.java:56, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.TraverseSubContentTransform.removeKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> TraverseSubContentTransform.java:143, SIC_INNER_SHOULD_BE_STATIC_ANON
> - SIC: The class
> org.apache.ofbiz.content.webapp.ftl.TraverseSubContentTransform$1 could be
> refactored into a named _static_ inner class
> This class is an inner class, but does not use its embedded reference to the
> object which created it. This reference makes the instances of the class
> larger, and may keep the reference to the creator object alive longer than
> necessary. If possible, the class should be made into a static inner class.
> Since anonymous inner classes cannot be marked as static, doing this will
> require refactoring the inner class so that it is a named inner class.
> WrapSubContentCacheTransform.java:52, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.WrapSubContentCacheTransform.upSaveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> WrapSubContentCacheTransform.java:53, MS_PKGPROTECT
> - MS:
> org.apache.ofbiz.content.webapp.ftl.WrapSubContentCacheTransform.saveKeyNames
> should be package protected
> A mutable static field could be changed by malicious code or by accident. The
> field could be made package protected to avoid this vulnerability.
> WrapSubContentCacheTransform.java:142, SIC_INNER_SHOULD_BE_STATIC_ANON
> - SIC: The class
> org.apache.ofbiz.content.webapp.ftl.WrapSubContentCacheTransform$1 could be
> refactored into a named _static_ inner class
> This class is an inner class, but does not use its embedded reference to the
> object which created it. This reference makes the instances of the class
> larger, and may keep the reference to the creator object alive longer than
> necessary. If possible, the class should be made into a static inner class.
> Since anonymous inner classes cannot be marked as static, doing this will
> require refactoring the inner class so that it is a named inner class.
> WrapSubContentCacheTransform.java:176, NP_LOAD_OF_KNOWN_NULL_VALUE
> - NP: Load of known null value in
> org.apache.ofbiz.content.webapp.ftl.WrapSubContentCacheTransform$1.close()
> The variable referenced at this point is known to be null due to an earlier
> check against null. Although this is valid, it might be a mistake (perhaps
> you intended to refer to a different variable, or perhaps the earlier check
> to see if the variable is null should have been a check to see if it was
> non-null).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
