[jira] [Closed] (OFBIZ-9823) [FB] Package org.apache.ofbiz.marketing.tracking

Sun, 10 Dec 2017 03:02:20 -0800 

     [ 
https://issues.apache.org/jira/browse/OFBIZ-9823?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Brohl closed OFBIZ-9823.
--------------------------------
       Resolution: Implemented
    Fix Version/s: Upcoming Release

Thanks Dennis,

your patch is in trunk r1817692. 

The patch was modified because the repeated conditional check in 
TrackingCodeEvents was simplified too much.


> [FB] Package org.apache.ofbiz.marketing.tracking
> ------------------------------------------------
>
>                 Key: OFBIZ-9823
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9823
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: marketing
>    Affects Versions: Trunk
>            Reporter: Dennis Balkir
>            Assignee: Michael Brohl
>            Priority: Minor
>             Fix For: Upcoming Release
>
>         Attachments: 
> OFBIZ-9823_org.apache.ofbiz.marketing.tracking_bugfixes.patch
>
>
> --- TrackingCodeEvents.java:261, RpC_REPEATED_CONDITIONAL_TEST
> RpC: Repeated conditional test in 
> org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue,
>  HttpServletRequest, HttpServletResponse, String)
> The code contains a conditional test is performed twice, one right after the 
> other (e.g., x == 0 || x == 0). Perhaps the second occurrence is intended to 
> be something else (e.g., x == 0 || y == 0).
> --- TrackingCodeEvents.java:261, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> RCN: Redundant nullcheck of visitorSiteId, which is known to be non-null in 
> org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue,
>  HttpServletRequest, HttpServletResponse, String)
> This method contains a redundant check of a known non-null value against the 
> constant null.
> --- TrackingCodeEvents.java:263, HRS_REQUEST_PARAMETER_TO_COOKIE
> HRS: HTTP cookie formed from untrusted input in 
> org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue,
>  HttpServletRequest, HttpServletResponse, String)
> This code constructs an HTTP Cookie using an untrusted HTTP parameter. If 
> this cookie is added to an HTTP response, it will allow a HTTP response 
> splitting vulnerability. See 
> http://en.wikipedia.org/wiki/HTTP_response_splitting for more information.
> FindBugs looks only for the most blatant, obvious cases of HTTP response 
> splitting. If FindBugs found any, you almost certainly have more 
> vulnerabilities that FindBugs doesn't report. If you are concerned about HTTP 
> response splitting, you should seriously consider using a commercial static 
> analysis or pen-testing tool.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to