[jira] [Updated] (OFBIZ-9823) [FB] Package org.apache.ofbiz.marketing.tracking

Fri, 06 Oct 2017 03:45:36 -0700 

     [ 
https://issues.apache.org/jira/browse/OFBIZ-9823?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dennis Balkir updated OFBIZ-9823:
---------------------------------
    Attachment: OFBIZ-9823_org.apache.ofbiz.marketing.tracking_bugfixes.patch

- Line 265: removed {{visitorSiteId != null &&}} because it was already checked 
in the same if-phrase
- Line 267: encoded the string {{siteId}} into a new string so that there is no 
more vulnerability problem with the creation of the cookie

> [FB] Package org.apache.ofbiz.marketing.tracking
> ------------------------------------------------
>
>                 Key: OFBIZ-9823
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9823
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: marketing
>    Affects Versions: Trunk
>            Reporter: Dennis Balkir
>            Priority: Minor
>         Attachments: 
> OFBIZ-9823_org.apache.ofbiz.marketing.tracking_bugfixes.patch
>
>
> --- TrackingCodeEvents.java:261, RpC_REPEATED_CONDITIONAL_TEST
> RpC: Repeated conditional test in 
> org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue,
>  HttpServletRequest, HttpServletResponse, String)
> The code contains a conditional test is performed twice, one right after the 
> other (e.g., x == 0 || x == 0). Perhaps the second occurrence is intended to 
> be something else (e.g., x == 0 || y == 0).
> --- TrackingCodeEvents.java:261, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of visitorSiteId, which is known to be non-null in 
> org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue,
>  HttpServletRequest, HttpServletResponse, String)
> This method contains a redundant check of a known non-null value against the 
> constant null.
> --- TrackingCodeEvents.java:263, HRS_REQUEST_PARAMETER_TO_COOKIE
> HRS: HTTP cookie formed from untrusted input in 
> org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue,
>  HttpServletRequest, HttpServletResponse, String)
> This code constructs an HTTP Cookie using an untrusted HTTP parameter. If 
> this cookie is added to an HTTP response, it will allow a HTTP response 
> splitting vulnerability. See 
> http://en.wikipedia.org/wiki/HTTP_response_splitting for more information.
> FindBugs looks only for the most blatant, obvious cases of HTTP response 
> splitting. If FindBugs found any, you almost certainly have more 
> vulnerabilities that FindBugs doesn't report. If you are concerned about HTTP 
> response splitting, you should seriously consider using a commercial static 
> analysis or pen-testing tool.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to