-
Notifications
You must be signed in to change notification settings - Fork 37.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
End user access to files in WEB-INF directory through DispatcherPortlet [SPR-7540] #12197
Comments
Dave Syer commented It appears the Liferay link you posted is not public. Can you summarise the problem here, please and/or ask the liferay admins to open it up. |
Adam Causey commented We are using the spring framework to build portlets for liferay instead of their api. They can only fix the portlets that extends their portlet classes, but not ones extending the spring classes. The problem is that using a certain URL public users can access files under the WEB-INF directory. The basic summary for the Liferay bug is the following: You can access files within the ROOT directory of liferay or docroot of a plugin Users can access files within plugin context. To test that the security patch applied correctly, the following link will display a blank page after applying the patch: http://[domain]/web/guest/home?p_p_id=1_WAR_googlemapsportlet&p_p_lifecycle=2&p_p_resource_id=/WEB-INF/portlet.xml |
Adam Causey commented Here are additional details from Liferay support: This is technically not a bug because the method serveResource is So here is the code for serveResource in GenericPortlet. I got it from here:
response) throws PortletException, IOException { request.getResourceId() can be a path to any file and can be specified In our fix, we basically check if the resourceId requested contains Let me know if you need any additional information. Thanks, |
Adam Causey commented It appears that this issue has been resolved in the most recent version of Spring (3.0.4). I upgraded and cannot access files under WEB-INF. Thanks. |
Juergen Hoeller commented To be safe, I've added explicit protection against WEB-INF and META-INF access to Spring's resource serving code for 3.0.5. We're also setting the response status to 404 now in that case - which we didn't do before since GenericPortlet doesn't do it either (despite it being required by the Servlet specification, shining through to the Portlet spec). Juergen |
Adam Causey opened SPR-7540 and commented
Hello,
We use the Liferay portal at our university and to develop our portlets we use org.springframework.web.portlet.DispatcherPortlet as the portlet class. There is a security bug that allows users to access files under the WEB-INF directory by using a certain URL. Liferay has told us that the problem is in the generic portlet and will need to be reported to Spring for this to be fixed. The Liferay bug is http://issues.liferay.com/browse/LPE-2960 . Since we use the Spring portlet MVC and not the Liferay portlet classes, this needs to be fixed in the Spring code.
Thanks.
Affects: 2.5.6
Referenced from: commits 40fa8af
The text was updated successfully, but these errors were encountered: