Dennis Balkir created OFBIZ-9823:
------------------------------------
Summary: [FB] Package org.apache.ofbiz.marketing.tracking
Key: OFBIZ-9823
URL: https://issues.apache.org/jira/browse/OFBIZ-9823
Project: OFBiz
Issue Type: Sub-task
Components: marketing
Affects Versions: Trunk
Reporter: Dennis Balkir
Priority: Minor
--- TrackingCodeEvents.java:261, RpC_REPEATED_CONDITIONAL_TEST
RpC: Repeated conditional test in
org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue,
HttpServletRequest, HttpServletResponse, String)
The code contains a conditional test is performed twice, one right after the
other (e.g., x == 0 || x == 0). Perhaps the second occurrence is intended to be
something else (e.g., x == 0 || y == 0).
--- TrackingCodeEvents.java:261, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of visitorSiteId, which is known to be non-null in
org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue,
HttpServletRequest, HttpServletResponse, String)
This method contains a redundant check of a known non-null value against the
constant null.
--- TrackingCodeEvents.java:263, HRS_REQUEST_PARAMETER_TO_COOKIE
HRS: HTTP cookie formed from untrusted input in
org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue,
HttpServletRequest, HttpServletResponse, String)
This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this
cookie is added to an HTTP response, it will allow a HTTP response splitting
vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for
more information.
FindBugs looks only for the most blatant, obvious cases of HTTP response
splitting. If FindBugs found any, you almost certainly have more
vulnerabilities that FindBugs doesn't report. If you are concerned about HTTP
response splitting, you should seriously consider using a commercial static
analysis or pen-testing tool.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
