End user access to files in WEB-INF directory through DispatcherPortlet [SPR-7540]

[spring-projects-issues]

Adam Causey opened SPR-7540 and commented

Hello,

We use the Liferay portal at our university and to develop our portlets we use org.springframework.web.portlet.DispatcherPortlet as the portlet class. There is a security bug that allows users to access files under the WEB-INF directory by using a certain URL. Liferay has told us that the problem is in the generic portlet and will need to be reported to Spring for this to be fixed. The Liferay bug is http://issues.liferay.com/browse/LPE-2960 . Since we use the Spring portlet MVC and not the Liferay portlet classes, this needs to be fixed in the Spring code.

Thanks.

---

Affects: 2.5.6

Referenced from: commits 40fa8af

[spring-projects-issues]

Dave Syer commented

It appears the Liferay link you posted is not public. Can you summarise the problem here, please and/or ask the liferay admins to open it up.

[spring-projects-issues]

Adam Causey commented

We are using the spring framework to build portlets for liferay instead of their api. They can only fix the portlets that extends their portlet classes, but not ones extending the spring classes. The problem is that using a certain URL public users can access files under the WEB-INF directory. The basic summary for the Liferay bug is the following:

You can access files within the ROOT directory of liferay or docroot of a plugin

Users can access files within plugin context.

To test that the security patch applied correctly, the following link will display a blank page after applying the patch:
Note:
-Remember to clear your browser cache after applying the patch to see the above changes.
-The link below is testing against our official google maps plugin.

http://[domain]/web/guest/home?p_p_id=1_WAR_googlemapsportlet&p_p_lifecycle=2&p_p_resource_id=/WEB-INF/portlet.xml

[spring-projects-issues]

Adam Causey commented

Here are additional details from Liferay support:

This is technically not a bug because the method serveResource is
meant to send files to the user. But obviously it opens it up so any
user can download any file they want.

So here is the code for serveResource in GenericPortlet. I got it from here:
http://www.jarvana.com/jarvana/view/org/apache/portals/portlet-api_2.0_spec/1.0/portlet-api_2.0_spec-1.0-sources.jar!/javax/portlet/GenericPortlet.java?format=ok

public void serveResource(ResourceRequest request, ResourceResponse

response) throws PortletException, IOException {
if (request.getResourceID() != null) {
PortletRequestDispatcher rd =
getPortletConfig().getPortletContext().getRequestDispatcher(
request.getResourceID());
if (rd != null)
rd.forward(request, response);
}
}

request.getResourceId() can be a path to any file and can be specified
in the URL like this:
http://localhost:8080/web/guest/home?p_p_id=1_WAR_googlemapsportlet&p_p_lifecycle=2&p_p_resource_id=/WEB-INF/portlet.xml

In our fix, we basically check if the resourceId requested contains
/WEB-INF/ in it. So anything under web-inf is protected.

Let me know if you need any additional information.

Thanks,
Matt

[spring-projects-issues]

Adam Causey commented

It appears that this issue has been resolved in the most recent version of Spring (3.0.4). I upgraded and cannot access files under WEB-INF.

Thanks.

[spring-projects-issues]

Juergen Hoeller commented

To be safe, I've added explicit protection against WEB-INF and META-INF access to Spring's resource serving code for 3.0.5. We're also setting the response status to 404 now in that case - which we didn't do before since GenericPortlet doesn't do it either (despite it being required by the Servlet specification, shining through to the Portlet spec).

Juergen