svn commit: r1864719 - in /ofbiz/branches/release16.11: ./ applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

Thu, 08 Aug 2019 08:32:42 -0700 

Author: jleroux
Date: Thu Aug  8 15:32:08 2019
New Revision: 1864719

URL: http://svn.apache.org/viewvc?rev=1864719&view=rev
Log:
"Applied fix from trunk framework for revision: 1864716" 
------------------------------------------------------------------------
r1864716 | jleroux | 2019-08-08 17:28:45 +0200 (jeu. 08 août 2019) | 15 lignes

Fixed: [FB] Find Security Bugs
(OFBIZ-9973)

FindBugs is now deprecated and replaced by Spotbugs

Last time I forgot to encode productId as reported by Man Yue Mo from Semmle

This eventually fixes the "Relative path traversal" issue reported by Spotbugs
by encoding the whole file name.

Nevertheless Spotbugs continues to report the same issue in trunk but not in R16
I have not ideas why and I see no other possible issue. 

I will backport and check again.

------------------------------------------------------------------------


Modified:
    ofbiz/branches/release16.11/   (props changed)
    
ofbiz/branches/release16.11/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

Propchange: ofbiz/branches/release16.11/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Aug  8 15:32:08 2019
@@ -10,6 +10,6 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1793300,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801316,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814392,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273,
 
1816289,1816291,1816297,1816369,1816373,1816461,1816635,1816795,1818101,1818269,1818273,1818402,1819122,1819136,1819144,1819811,1820823,1820949,1820966,1821012,1821036,1821613,1821965,1822310,1822377,1822383,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825233,1825262,1825444,1825450,1826374,1826592,1826671,1826805,1826938,1828255,1830936,1831234,1831608,1831831,1832577,1832662,1832756,1832944,1833211,1834181,1834191,1835235,1835871,1836144,1838032,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1845418,1845420,1845466,1845544,1845552,1846214,1846594,1846632,1847398,1848263,1848336,1848398,1848444,1848449,1849191,1849193,1849275,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850685,1850914,1850918,1850948,1851200,1851247,1851319,1851805,1851998,1852587,1852818,1853070,1853691,1853745,1853750,1854306,1854457,1855078,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856405,1856455,1856459-1856460,1856484,1856598,18566
 
17,1856667,1857088,1857099,1857180,1857213,1857392,1857617,1857692,1857813,1858141,1858250,1858275,1858312,1858319,1858432,1858444,1858523,1858539,1858933,1858965,1858980,1859012,1859033,1859255,1859263,1859543,1859571,1859576,1859691,1859704,1859796,1859807,1859871,1859877,1859882,1859893,1859968,1859981,1860082,1860141,1860274,1860357,1860526,1860592,1860613,1860797,1861615,1861837,1861859,1861869,1861904,1862045-1862046,1862207,1862271,1862278,1862466,1862648
+/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1793300,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801316,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814392,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273,
 
1816289,1816291,1816297,1816369,1816373,1816461,1816635,1816795,1818101,1818269,1818273,1818402,1819122,1819136,1819144,1819811,1820823,1820949,1820966,1821012,1821036,1821613,1821965,1822310,1822377,1822383,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825233,1825262,1825444,1825450,1826374,1826592,1826671,1826805,1826938,1828255,1830936,1831234,1831608,1831831,1832577,1832662,1832756,1832944,1833211,1834181,1834191,1835235,1835871,1836144,1838032,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1845418,1845420,1845466,1845544,1845552,1846214,1846594,1846632,1847398,1848263,1848336,1848398,1848444,1848449,1849191,1849193,1849275,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850685,1850914,1850918,1850948,1851200,1851247,1851319,1851805,1851998,1852587,1852818,1853070,1853691,1853745,1853750,1854306,1854457,1855078,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856405,1856455,1856459-1856460,1856484,1856598,18566
 
17,1856667,1857088,1857099,1857180,1857213,1857392,1857617,1857692,1857813,1858141,1858250,1858275,1858312,1858319,1858432,1858444,1858523,1858539,1858933,1858965,1858980,1859012,1859033,1859255,1859263,1859543,1859571,1859576,1859691,1859704,1859796,1859807,1859871,1859877,1859882,1859893,1859968,1859981,1860082,1860141,1860274,1860357,1860526,1860592,1860613,1860797,1861615,1861837,1861859,1861869,1861904,1862045-1862046,1862207,1862271,1862278,1862466,1862648,1864716
 /ofbiz/ofbiz-plugins/trunk:1860648
 
/ofbiz/trunk:1770481,1770490,1770540,1771440,1771448,1771516,1771935,1772346,1772880,1774772,1775441,1779724,1780659,1781109,1781125,1781979,1782498,1782520

Modified: 
ofbiz/branches/release16.11/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release16.11/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java?rev=1864719&r1=1864718&r2=1864719&view=diff
==============================================================================
--- 
ofbiz/branches/release16.11/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
 (original)
+++ 
ofbiz/branches/release16.11/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
 Thu Aug  8 15:32:08 2019
@@ -30,7 +30,6 @@ import java.awt.image.RenderedImage;
 import java.io.File;
 import java.io.IOException;
 import java.io.RandomAccessFile;
-import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
 import java.nio.ByteBuffer;
 import java.util.HashMap;
@@ -338,16 +337,8 @@ public class FrameImage {
         String imageServerPath = 
FlexibleStringExpander.expandString(EntityUtilProperties.getPropertyValue("catalog",
 "image.management.path", delegator), context);
         
         String productId = request.getParameter("productId");
-        String imageName = null;
-        try {
-            imageName = URLEncoder.encode(request.getParameter("imageName"), 
"UTF-8");
-        } catch (UnsupportedEncodingException e) {
-            Debug.logError(e, "Error while saving TrackingCodeVisit", module);
-            request.setAttribute("_ERROR_MESSAGE_", e.getMessage());
-            return "error";
-        }
-        
-        
+        String imageName = request.getParameter("imageName");
+
         String dirPath = "/preview/";
         File dir = new File(imageServerPath + dirPath);
         if (!dir.exists()) {
@@ -384,11 +375,12 @@ public class FrameImage {
             request.setAttribute("_ERROR_MESSAGE_", e.getMessage());
             return "error";
         }
+        
         if (UtilValidate.isNotEmpty(imageName)) {
             File file = new File(imageServerPath + "/preview/" 
+"/previewImage.jpg");
             file.delete();
             // Image Frame
-            BufferedImage bufImg1 = ImageIO.read(new File(imageServerPath + 
"/" + productId + "/" + imageName).getCanonicalFile());
+            BufferedImage bufImg1 = ImageIO.read(new 
File(URLEncoder.encode(imageServerPath + "/" + productId + "/" + imageName, 
"UTF-8")).getCanonicalFile());
             BufferedImage bufImg2 = ImageIO.read(new File(imageServerPath + 
"/frame/" + frameImageName));
             
             int bufImgType;

Reply via email to