Liferay 5.2.3 javascript injection vulnerability
According to liferay's Jira LPS-5545 is still open and affects liferay 5.2.3 .
I tested the above vulnerability onto Liferay 6 and it looks like this problem was fixed. I looked at the code and what it does ... and it came out that everything you need to prevent this issue is already there in L5 too.
The short path
simply use unix patch to apply this patch ( Attach:LanguageImpl.java.patch ), recompile and generate portal-impl.jar and live happy.
What it does
The patch checks the language id parameter against a white list of languages (namely _localesMap and _charEncodings ) that are already there; we slightly modify the constructor in order to make sure the maps are filled :
private LanguageImpl() {
String[] localesArray = PropsValues.LOCALES;
_locales = new Locale[localesArray.length];
_localesSet = new HashSet<Locale>(localesArray.length);
_localesMap = new HashMap<String, Locale>(localesArray.length);
_charEncodings = new HashMap<String, String>();
for (int i = 0; i < localesArray.length; i++) {
String languageId = localesArray[i];
int pos = languageId.indexOf(StringPool.UNDERLINE);
String language = languageId.substring(0, pos);
//String country = languageId.substring(pos + 1);
Locale locale = LocaleUtil.fromLanguageId(languageId);
_charEncodings.put(locale.toString(), StringPool.UTF8); // backport of white list of language ids
_locales[i] = locale;
if (!_localesMap.containsKey(language)) {//backport of white list of language ids
_localesMap.put(language, locale);
}
_localesSet.add(locale);
//_localesMap.put(language, locale);//backport of white list of language ids
_charEncodings.put(locale.toString(), StringPool.UTF8);
}
}
String[] localesArray = PropsValues.LOCALES;
_locales = new Locale[localesArray.length];
_localesSet = new HashSet<Locale>(localesArray.length);
_localesMap = new HashMap<String, Locale>(localesArray.length);
_charEncodings = new HashMap<String, String>();
for (int i = 0; i < localesArray.length; i++) {
String languageId = localesArray[i];
int pos = languageId.indexOf(StringPool.UNDERLINE);
String language = languageId.substring(0, pos);
//String country = languageId.substring(pos + 1);
Locale locale = LocaleUtil.fromLanguageId(languageId);
_charEncodings.put(locale.toString(), StringPool.UTF8); // backport of white list of language ids
_locales[i] = locale;
if (!_localesMap.containsKey(language)) {//backport of white list of language ids
_localesMap.put(language, locale);
}
_localesSet.add(locale);
//_localesMap.put(language, locale);//backport of white list of language ids
_charEncodings.put(locale.toString(), StringPool.UTF8);
}
}
and add the check
if (_localesMap.containsKey(languageId) || _charEncodings.containsKey(languageId)) {// backport of white list of language ids
in
public String getLanguageId(HttpServletRequest request)
just before returning the language id :
public String getLanguageId(HttpServletRequest request) {
String languageId = ParamUtil.getString(request, "languageId");
if (Validator.isNotNull(languageId)) {
if (_localesMap.containsKey(languageId) || _charEncodings.containsKey(languageId)) {// backport of white list of language ids
return languageId;
}
}
Locale locale = PortalUtil.getLocale(request);
return getLanguageId(locale);
}
String languageId = ParamUtil.getString(request, "languageId");
if (Validator.isNotNull(languageId)) {
if (_localesMap.containsKey(languageId) || _charEncodings.containsKey(languageId)) {// backport of white list of language ids
return languageId;
}
}
Locale locale = PortalUtil.getLocale(request);
return getLanguageId(locale);
}
Happy patching folks !
Recent Comments