Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Minor
    • Resolution: Implemented
    • Affects Version/s: Trunk
    • Fix Version/s: Upcoming Release
    • Component/s: framework
    • Labels:
      None

      Description

      • QRCodeEvents.java:76, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
        RCN: Redundant nullcheck of mimeType, which is known to be non-null in org.apache.ofbiz.common.qrcode.QRCodeEvents.serveQRCodeImage(HttpServletRequest, HttpServletResponse)

      This method contains a redundant check of a known non-null value against the constant null.

      • QRCodeServices.java:77, MS_PKGPROTECT
        MS: org.apache.ofbiz.common.qrcode.QRCodeServices.FORMAT_NAMES should be package protected

      A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.

      • QRCodeServices.java:79, MS_MUTABLE_COLLECTION_PKGPROTECT
        Field is a mutable collection which should be package protected

      A mutable collection instance is assigned to a final static field, thus can be changed by malicious code or by accident from another package. The field could be made package protected to avoid this vulnerability. Alternatively you may wrap this field into Collections.unmodifiableSet/List/Map/etc. to avoid this vulnerability.

      • QRCodeServices.java:93, MS_SHOULD_BE_REFACTORED_TO_BE_FINAL
        MS: org.apache.ofbiz.common.qrcode.QRCodeServices.defaultLogoImage isn't final but should be refactored to be so

      This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability. However, the static initializer contains more than one write to the field, so doing so will require some refactoring.

      • QRCodeServices.java:252, DM_CONVERT_CASE
        Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.common.qrcode.QRCodeServices.toBufferedImage(BitMatrix, String)

      A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the

      String.toUpperCase( Locale l )
      String.toLowerCase( Locale l )
      versions instead.

        Activity

        Hide
        Dennis Balkir Dennis Balkir added a comment -
        • Diamond Operators fixed

        class QRCodeEvents:

        • Line 51: removed unnecessary casting from HttpServletRequest to HttpServletRequest
        • Line 76: removed unnecessary nullcheck

        class QRCodeServices:

        • Line 77, 79: made parameters private to prevent vulnerability and external code violation
        • Line 75: made defaultLogoImage a final parameter
        • refactored the declaration of defaultLogoImage so that it can be made a final parameter
        • Line 258: added a default Locale to toLowerCase
        Show
        Dennis Balkir Dennis Balkir added a comment - Diamond Operators fixed class QRCodeEvents: Line 51: removed unnecessary casting from HttpServletRequest to HttpServletRequest Line 76: removed unnecessary nullcheck class QRCodeServices: Line 77, 79: made parameters private to prevent vulnerability and external code violation Line 75: made defaultLogoImage a final parameter refactored the declaration of defaultLogoImage so that it can be made a final parameter Line 258: added a default Locale to toLowerCase
        Hide
        mbrohl Michael Brohl added a comment -

        Thanks Dennis,

        your patch is in trunk r1811427.

        Show
        mbrohl Michael Brohl added a comment - Thanks Dennis, your patch is in trunk r1811427.

          People

          • Assignee:
            mbrohl Michael Brohl
            Reporter:
            Dennis Balkir Dennis Balkir
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development