[jira] [Created] (OFBIZ-9633) [FB] Package org.apache.ofbiz.common.qrcode

Fri, 25 Aug 2017 06:30:17 -0700 

Dennis Balkir created OFBIZ-9633:
------------------------------------

             Summary: [FB] Package org.apache.ofbiz.common.qrcode
                 Key: OFBIZ-9633
                 URL: https://issues.apache.org/jira/browse/OFBIZ-9633
             Project: OFBiz
          Issue Type: Sub-task
          Components: framework
    Affects Versions: Trunk
            Reporter: Dennis Balkir
            Priority: Minor


- QRCodeEvents.java:76, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
RCN: Redundant nullcheck of mimeType, which is known to be non-null in 
org.apache.ofbiz.common.qrcode.QRCodeEvents.serveQRCodeImage(HttpServletRequest,
 HttpServletResponse)

This method contains a redundant check of a known non-null value against the 
constant null.

- QRCodeServices.java:77, MS_PKGPROTECT
MS: org.apache.ofbiz.common.qrcode.QRCodeServices.FORMAT_NAMES should be 
package protected

A mutable static field could be changed by malicious code or by accident. The 
field could be made package protected to avoid this vulnerability.

- QRCodeServices.java:79, MS_MUTABLE_COLLECTION_PKGPROTECT
Field is a mutable collection which should be package protected

A mutable collection instance is assigned to a final static field, thus can be 
changed by malicious code or by accident from another package. The field could 
be made package protected to avoid this vulnerability. Alternatively you may 
wrap this field into Collections.unmodifiableSet/List/Map/etc. to avoid this 
vulnerability.

- QRCodeServices.java:93, MS_SHOULD_BE_REFACTORED_TO_BE_FINAL
MS: org.apache.ofbiz.common.qrcode.QRCodeServices.defaultLogoImage isn't final 
but should be refactored to be so

This static field public but not final, and could be changed by malicious code 
or by accident from another package. The field could be made final to avoid 
this vulnerability. However, the static initializer contains more than one 
write to the field, so doing so will require some refactoring.

- QRCodeServices.java:252, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in 
org.apache.ofbiz.common.qrcode.QRCodeServices.toBufferedImage(BitMatrix, String)

A String is being converted to upper or lowercase, using the platform's default 
encoding. This may result in improper conversions when used with international 
characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to