Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Release Branch 14.12
-
None
Description
In Ofbiz 14.12 branch there is a flaw in the patches added in ticket
https://issues.apache.org/jira/browse/OFBIZ-6669
In ProductContentWrapper#getProductContentAsText and all similar content wrappers using a cache, the cacheKey does not include the new encoderType:
String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId");
This makes it possible for subsequent calls on the same wrapper using different encoderTypes to return content having the wrong encoding and create potential security flaws.
The key should include the encoderType:
String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId") + SEPARATOR + encoderType;
I leave you to find all the occurrences.
Attachments
Issue Links
- is related to
-
OFBIZ-6979 All static variables should be revisited for multitenant operation
- Open