svn commit: r1814709 - /ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

Thu, 09 Nov 2017 00:55:50 -0800 

Author: jleroux
Date: Thu Nov  9 08:54:46 2017
New Revision: 1814709

URL: http://svn.apache.org/viewvc?rev=1814709&view=rev
Log:
Fixed: [FB] Find Security Bugs
(OFBIZ-9973)

I missed to encode the request parameter prior to use the canonical pathname

Nevertheless Findbugs continues to complains about missing canonical pathname

I tried 
String safePath = (new File(imageServerPath + "/" + productId + "/" + 
imageName))
                  .getCanonicalPath();
BufferedImage bufImg1 = ImageIO.read(FileUtil.getFile(safePath));
instead of
BufferedImage bufImg1 = ImageIO.read(new File(imageServerPath + "/" + productId 
                        + "/" + imageName).getCanonicalFile());

Same Findbugs report, I consider it's a false positive and keep the later

Modified:
    
ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java

Modified: 
ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
URL: 
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java?rev=1814709&r1=1814708&r2=1814709&view=diff
==============================================================================
--- 
ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
 (original)
+++ 
ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
 Thu Nov  9 08:54:46 2017
@@ -30,6 +30,8 @@ import java.awt.image.RenderedImage;
 import java.io.File;
 import java.io.IOException;
 import java.io.RandomAccessFile;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
 import java.nio.ByteBuffer;
 import java.util.HashMap;
 import java.util.Locale;
@@ -336,7 +338,15 @@ public class FrameImage {
         String imageServerPath = 
FlexibleStringExpander.expandString(EntityUtilProperties.getPropertyValue("catalog",
 "image.management.path", delegator), context);
         
         String productId = request.getParameter("productId");
-        String imageName = request.getParameter("imageName");
+        String imageName = null;
+        try {
+            imageName = URLEncoder.encode(request.getParameter("imageName"), 
"UTF-8");
+        } catch (UnsupportedEncodingException e) {
+            Debug.logError(e, "Error while saving TrackingCodeVisit", module);
+            request.setAttribute("_ERROR_MESSAGE_", e.getMessage());
+            return "error";
+        }
+        
         
         String dirPath = "/preview/";
         File dir = new File(imageServerPath + dirPath);

Reply via email to