[ https://issues.apache.org/jira/browse/OFBIZ-9823?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dennis Balkir updated OFBIZ-9823: --------------------------------- Attachment: OFBIZ-9823_org.apache.ofbiz.marketing.tracking_bugfixes.patch - Line 265: removed {{visitorSiteId != null &&}} because it was already checked in the same if-phrase - Line 267: encoded the string {{siteId}} into a new string so that there is no more vulnerability problem with the creation of the cookie > [FB] Package org.apache.ofbiz.marketing.tracking > ------------------------------------------------ > > Key: OFBIZ-9823 > URL: https://issues.apache.org/jira/browse/OFBIZ-9823 > Project: OFBiz > Issue Type: Sub-task > Components: marketing > Affects Versions: Trunk > Reporter: Dennis Balkir > Priority: Minor > Attachments: > OFBIZ-9823_org.apache.ofbiz.marketing.tracking_bugfixes.patch > > > --- TrackingCodeEvents.java:261, RpC_REPEATED_CONDITIONAL_TEST > RpC: Repeated conditional test in > org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue, > HttpServletRequest, HttpServletResponse, String) > The code contains a conditional test is performed twice, one right after the > other (e.g., x == 0 || x == 0). Perhaps the second occurrence is intended to > be something else (e.g., x == 0 || y == 0). > --- TrackingCodeEvents.java:261, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE > RCN: Redundant nullcheck of visitorSiteId, which is known to be non-null in > org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue, > HttpServletRequest, HttpServletResponse, String) > This method contains a redundant check of a known non-null value against the > constant null. > --- TrackingCodeEvents.java:263, HRS_REQUEST_PARAMETER_TO_COOKIE > HRS: HTTP cookie formed from untrusted input in > org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue, > HttpServletRequest, HttpServletResponse, String) > This code constructs an HTTP Cookie using an untrusted HTTP parameter. If > this cookie is added to an HTTP response, it will allow a HTTP response > splitting vulnerability. See > http://en.wikipedia.org/wiki/HTTP_response_splitting for more information. > FindBugs looks only for the most blatant, obvious cases of HTTP response > splitting. If FindBugs found any, you almost certainly have more > vulnerabilities that FindBugs doesn't report. If you are concerned about HTTP > response splitting, you should seriously consider using a commercial static > analysis or pen-testing tool. -- This message was sent by Atlassian JIRA (v6.4.14#64029)