[jira] [Created] (OFBIZ-9637) [FB] Package org.apache.ofbiz.securityext.login

Fri, 25 Aug 2017 07:18:28 -0700 

Dennis Balkir created OFBIZ-9637:
------------------------------------

             Summary: [FB] Package org.apache.ofbiz.securityext.login
                 Key: OFBIZ-9637
                 URL: https://issues.apache.org/jira/browse/OFBIZ-9637
             Project: OFBiz
          Issue Type: Sub-task
          Components: securityext
    Affects Versions: Trunk
            Reporter: Dennis Balkir
            Priority: Minor


- LoginEvents.java:88, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in 
org.apache.ofbiz.securityext.login.LoginEvents.saveEntryParams(HttpServletRequest,
 HttpServletResponse)

A String is being converted to upper or lowercase, using the platform's default 
encoding. This may result in improper conversions when used with international 
characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

- LoginEvents.java:162, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in 
org.apache.ofbiz.securityext.login.LoginEvents.showPasswordHint(HttpServletRequest,
 HttpServletResponse)

A String is being converted to upper or lowercase, using the platform's default 
encoding. This may result in improper conversions when used with international 
characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

- LoginEvents.java:222, DM_CONVERT_CASE
Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in 
org.apache.ofbiz.securityext.login.LoginEvents.emailPassword(HttpServletRequest,
 HttpServletResponse)

A String is being converted to upper or lowercase, using the platform's default 
encoding. This may result in improper conversions when used with international 
characters. Use the

String.toUpperCase( Locale l )
String.toLowerCase( Locale l )
versions instead.

- LoginEvents.java:417, DMI_INVOKING_TOSTRING_ON_ARRAY
USELESS_STRING: Invocation of toString on cookies in 
org.apache.ofbiz.securityext.login.LoginEvents.getUsername(HttpServletRequest)

The code invokes toString on an array, which will generate a fairly useless 
result such as [C@16f0472. Consider using Arrays.toString to convert the array 
into a readable String that gives the contents of the array. See Programming 
Puzzlers, chapter 3, puzzle 12.

- LoginEvents.java:437, HRS_REQUEST_PARAMETER_TO_COOKIE
HRS: HTTP cookie formed from untrusted input in 
org.apache.ofbiz.securityext.login.LoginEvents.setUsername(HttpServletRequest, 
HttpServletResponse)

This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this 
cookie is added to an HTTP response, it will allow a HTTP response splitting 
vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for 
more information.

FindBugs looks only for the most blatant, obvious cases of HTTP response 
splitting. If FindBugs found any, you almost certainly have more 
vulnerabilities that FindBugs doesn't report. If you are concerned about HTTP 
response splitting, you should seriously consider using a commercial static 
analysis or pen-testing tool.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to