Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-6973

Flaw in content wrapper cache handling with encoderType

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Release Branch 14.12
    • Fix Version/s: 14.12.01, 15.12.01
    • Component/s: ALL APPLICATIONS
    • Labels:
      None

      Description

      In Ofbiz 14.12 branch there is a flaw in the patches added in ticket
      https://issues.apache.org/jira/browse/OFBIZ-6669

      In ProductContentWrapper#getProductContentAsText and all similar content wrappers using a cache, the cacheKey does not include the new encoderType:

                  String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId");
      

      This makes it possible for subsequent calls on the same wrapper using different encoderTypes to return content having the wrong encoding and create potential security flaws.

      The key should include the encoderType:

                      String cacheKey = productContentTypeId + SEPARATOR + locale + SEPARATOR + mimeTypeId + SEPARATOR + product.get("productId")  + SEPARATOR + encoderType;
      

      I leave you to find all the occurrences.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jleroux Jacques Le Roux
                Reporter:
                pas023 P Proulx
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: