Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-9450 Fixing defects reported by code analysis tools
  3. OFBIZ-9637

[FB] Package org.apache.ofbiz.securityext.login

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Minor
    • Resolution: Implemented
    • Trunk
    • 17.12.01
    • securityext
    • None

    Description

      • LoginEvents.java:88, DM_CONVERT_CASE
        Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.securityext.login.LoginEvents.saveEntryParams(HttpServletRequest, HttpServletResponse)

      A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the

      String.toUpperCase( Locale l )
      String.toLowerCase( Locale l )
      versions instead.

      • LoginEvents.java:162, DM_CONVERT_CASE
        Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.securityext.login.LoginEvents.showPasswordHint(HttpServletRequest, HttpServletResponse)

      A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the

      String.toUpperCase( Locale l )
      String.toLowerCase( Locale l )
      versions instead.

      • LoginEvents.java:222, DM_CONVERT_CASE
        Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.securityext.login.LoginEvents.emailPassword(HttpServletRequest, HttpServletResponse)

      A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the

      String.toUpperCase( Locale l )
      String.toLowerCase( Locale l )
      versions instead.

      • LoginEvents.java:417, DMI_INVOKING_TOSTRING_ON_ARRAY
        USELESS_STRING: Invocation of toString on cookies in org.apache.ofbiz.securityext.login.LoginEvents.getUsername(HttpServletRequest)

      The code invokes toString on an array, which will generate a fairly useless result such as [C@16f0472. Consider using Arrays.toString to convert the array into a readable String that gives the contents of the array. See Programming Puzzlers, chapter 3, puzzle 12.

      • LoginEvents.java:437, HRS_REQUEST_PARAMETER_TO_COOKIE
        HRS: HTTP cookie formed from untrusted input in org.apache.ofbiz.securityext.login.LoginEvents.setUsername(HttpServletRequest, HttpServletResponse)

      This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this cookie is added to an HTTP response, it will allow a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information.

      FindBugs looks only for the most blatant, obvious cases of HTTP response splitting. If FindBugs found any, you almost certainly have more vulnerabilities that FindBugs doesn't report. If you are concerned about HTTP response splitting, you should seriously consider using a commercial static analysis or pen-testing tool.

      Attachments

        Activity

          People

            mbrohl Michael Brohl
            Dennis Balkir Dennis Balkir
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: