Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
FACES-2343 Security vulnerability with accessing resources in JSF por…
…tlets
- Loading branch information
1 parent
e52b751
commit 722eba2
Showing
25 changed files
with
993 additions
and
36 deletions.
There are no files selected for viewing
133 changes: 133 additions & 0 deletions
133
...rc/main/java/com/liferay/faces/bridge/application/internal/ResourceValidatorBaseImpl.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,133 @@ | ||
/** | ||
* Copyright (c) 2000-2015 Liferay, Inc. All rights reserved. | ||
* | ||
* This library is free software; you can redistribute it and/or modify it under | ||
* the terms of the GNU Lesser General Public License as published by the Free | ||
* Software Foundation; either version 2.1 of the License, or (at your option) | ||
* any later version. | ||
* | ||
* This library is distributed in the hope that it will be useful, but WITHOUT | ||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||
* FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more | ||
* details. | ||
*/ | ||
package com.liferay.faces.bridge.application.internal; | ||
|
||
import java.util.HashSet; | ||
import java.util.List; | ||
import java.util.Map; | ||
import java.util.Set; | ||
|
||
import javax.faces.context.ExternalContext; | ||
import javax.faces.context.FacesContext; | ||
|
||
import com.liferay.faces.util.application.ResourceValidator; | ||
import com.liferay.faces.util.application.ResourceValidatorWrapper; | ||
import com.liferay.faces.util.config.ApplicationConfig; | ||
import com.liferay.faces.util.config.ConfiguredServlet; | ||
import com.liferay.faces.util.config.ConfiguredServletMapping; | ||
import com.liferay.faces.util.config.WebConfig; | ||
import com.liferay.faces.util.logging.Logger; | ||
import com.liferay.faces.util.logging.LoggerFactory; | ||
|
||
|
||
/** | ||
* @author Neil Griffin | ||
*/ | ||
public abstract class ResourceValidatorBaseImpl extends ResourceValidatorWrapper { | ||
|
||
// Logger | ||
private static final Logger logger = LoggerFactory.getLogger(ResourceValidatorBaseImpl.class); | ||
|
||
// Private Data Members | ||
private ResourceValidator wrappedResourceValidator; | ||
|
||
public ResourceValidatorBaseImpl(ResourceValidator resourceValidator) { | ||
this.wrappedResourceValidator = resourceValidator; | ||
} | ||
|
||
@Override | ||
public boolean isSelfReferencing(FacesContext facesContext, String resourceId) { | ||
|
||
// If the delegation chain indicates that the specified resource is not self-referencing, then | ||
boolean selfReferencing = super.isSelfReferencing(facesContext, resourceId); | ||
|
||
if ((!selfReferencing) && (resourceId != null)) { | ||
|
||
// Process the configured servlet entries in order to determine which ones are portlet invokers. | ||
Set<String> invokerServletNames = new HashSet<String>(); | ||
ExternalContext externalContext = facesContext.getExternalContext(); | ||
Map<String, Object> applicationMap = externalContext.getApplicationMap(); | ||
ApplicationConfig applicationConfig = (ApplicationConfig) applicationMap.get(ApplicationConfig.class | ||
.getName()); | ||
WebConfig webConfig = applicationConfig.getWebConfig(); | ||
List<ConfiguredServlet> configuredServlets = webConfig.getConfiguredServlets(); | ||
|
||
for (ConfiguredServlet configuredServlet : configuredServlets) { | ||
|
||
String configuredServletClass = configuredServlet.getServletClass(); | ||
|
||
if (isInvokerServletClass(configuredServletClass)) { | ||
invokerServletNames.add(configuredServlet.getServletName()); | ||
} | ||
} | ||
|
||
// For each of the servlet-mapping entries: | ||
List<ConfiguredServletMapping> configuredServletMappings = webConfig.getConfiguredServletMappings(); | ||
|
||
for (ConfiguredServletMapping configuredServletMapping : configuredServletMappings) { | ||
|
||
// Determine whether or not the current servlet-mapping is mapped to a portlet invoker servlet-class. | ||
if (invokerServletNames.contains(configuredServletMapping.getServletName())) { | ||
|
||
if (configuredServletMapping.isMatch(resourceId)) { | ||
selfReferencing = true; | ||
|
||
break; | ||
} | ||
} | ||
} | ||
} | ||
|
||
return selfReferencing; | ||
} | ||
|
||
protected abstract String getInvokerServletFQCN(); | ||
|
||
protected boolean isInvokerServletClass(String servletClassFQCN) { | ||
|
||
boolean invokerServletClass = false; | ||
|
||
String invokerServletFQCN = getInvokerServletFQCN(); | ||
|
||
if (invokerServletFQCN.equals(servletClassFQCN)) { | ||
|
||
invokerServletClass = true; | ||
} | ||
else { | ||
|
||
try { | ||
Class<?> invokerServletClazz = Class.forName(invokerServletFQCN); | ||
|
||
try { | ||
Class<?> servletClazz = Class.forName(servletClassFQCN); | ||
invokerServletClass = invokerServletClazz.isAssignableFrom(servletClazz); | ||
} | ||
catch (Throwable t) { | ||
logger.error("Unable to load servletClassFQCN=[{0}] error=[{1}]", servletClassFQCN, t.getMessage()); | ||
} | ||
|
||
} | ||
catch (Throwable t) { | ||
logger.error("Unable to load invokerServletFQCN=[{0}] error=[{1}]", invokerServletFQCN, t.getMessage()); | ||
} | ||
} | ||
|
||
return invokerServletClass; | ||
} | ||
|
||
@Override | ||
public ResourceValidator getWrapped() { | ||
return wrappedResourceValidator; | ||
} | ||
} |
55 changes: 55 additions & 0 deletions
55
...ava/com/liferay/faces/bridge/application/internal/ResourceValidatorFactoryBridgeImpl.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
/** | ||
* Copyright (c) 2000-2015 Liferay, Inc. All rights reserved. | ||
* | ||
* This library is free software; you can redistribute it and/or modify it under | ||
* the terms of the GNU Lesser General Public License as published by the Free | ||
* Software Foundation; either version 2.1 of the License, or (at your option) | ||
* any later version. | ||
* | ||
* This library is distributed in the hope that it will be useful, but WITHOUT | ||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||
* FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more | ||
* details. | ||
*/ | ||
package com.liferay.faces.bridge.application.internal; | ||
|
||
import com.liferay.faces.util.application.ResourceValidator; | ||
import com.liferay.faces.util.application.ResourceValidatorFactory; | ||
import com.liferay.faces.util.product.ProductConstants; | ||
import com.liferay.faces.util.product.ProductMap; | ||
|
||
|
||
/** | ||
* @author Neil Griffin | ||
*/ | ||
public class ResourceValidatorFactoryBridgeImpl extends ResourceValidatorFactory { | ||
|
||
// Private Constants | ||
private static final boolean LIFERAY_PORTAL_DETECTED = ProductMap.getInstance().get(ProductConstants.LIFERAY_PORTAL) | ||
.isDetected(); | ||
|
||
// Private Data Members | ||
private ResourceValidatorFactory wrappedResourceValidatorFactory; | ||
|
||
public ResourceValidatorFactoryBridgeImpl(ResourceValidatorFactory resourceValidatorFactory) { | ||
this.wrappedResourceValidatorFactory = resourceValidatorFactory; | ||
} | ||
|
||
@Override | ||
public ResourceValidator getResourceValidator() { | ||
|
||
ResourceValidator wrappedResourceValidator = getWrapped().getResourceValidator(); | ||
|
||
if (LIFERAY_PORTAL_DETECTED) { | ||
return new ResourceValidatorLiferayImpl(wrappedResourceValidator); | ||
} | ||
else { | ||
return new ResourceValidatorPlutoImpl(wrappedResourceValidator); | ||
} | ||
} | ||
|
||
@Override | ||
public ResourceValidatorFactory getWrapped() { | ||
return wrappedResourceValidatorFactory; | ||
} | ||
} |
32 changes: 32 additions & 0 deletions
32
...main/java/com/liferay/faces/bridge/application/internal/ResourceValidatorLiferayImpl.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
/** | ||
* Copyright (c) 2000-2015 Liferay, Inc. All rights reserved. | ||
* | ||
* This library is free software; you can redistribute it and/or modify it under | ||
* the terms of the GNU Lesser General Public License as published by the Free | ||
* Software Foundation; either version 2.1 of the License, or (at your option) | ||
* any later version. | ||
* | ||
* This library is distributed in the hope that it will be useful, but WITHOUT | ||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||
* FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more | ||
* details. | ||
*/ | ||
package com.liferay.faces.bridge.application.internal; | ||
|
||
import com.liferay.faces.util.application.ResourceValidator; | ||
|
||
|
||
/** | ||
* @author Neil Griffin | ||
*/ | ||
public class ResourceValidatorLiferayImpl extends ResourceValidatorBaseImpl { | ||
|
||
public ResourceValidatorLiferayImpl(ResourceValidator resourceValidator) { | ||
super(resourceValidator); | ||
} | ||
|
||
@Override | ||
protected String getInvokerServletFQCN() { | ||
return "com.liferay.portal.kernel.servlet.PortletServlet"; | ||
} | ||
} |
32 changes: 32 additions & 0 deletions
32
...c/main/java/com/liferay/faces/bridge/application/internal/ResourceValidatorPlutoImpl.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
/** | ||
* Copyright (c) 2000-2015 Liferay, Inc. All rights reserved. | ||
* | ||
* This library is free software; you can redistribute it and/or modify it under | ||
* the terms of the GNU Lesser General Public License as published by the Free | ||
* Software Foundation; either version 2.1 of the License, or (at your option) | ||
* any later version. | ||
* | ||
* This library is distributed in the hope that it will be useful, but WITHOUT | ||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||
* FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more | ||
* details. | ||
*/ | ||
package com.liferay.faces.bridge.application.internal; | ||
|
||
import com.liferay.faces.util.application.ResourceValidator; | ||
|
||
|
||
/** | ||
* @author Neil Griffin | ||
*/ | ||
public class ResourceValidatorPlutoImpl extends ResourceValidatorBaseImpl { | ||
|
||
public ResourceValidatorPlutoImpl(ResourceValidator resourceValidator) { | ||
super(resourceValidator); | ||
} | ||
|
||
@Override | ||
protected String getInvokerServletFQCN() { | ||
return "org.apache.pluto.container.driver.PortletServlet"; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.