Medium severity6.1NVD Advisory· Published Aug 7, 2017· Updated May 13, 2026
CVE-2017-12645
CVE-2017-12645
Description
XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | < 7.0.3-ga4 | 7.0.3-ga4 |
Affected products
1Patches
6c6d7707c2e98LPS-77403 Revert "LPS-72307 Migrate test"
4 files changed · +139 −79
modules/apps/static/portal-osgi-web/portal-osgi-web-portlet-container-test/src/testIntegration/java/com/liferay/portal/osgi/web/portlet/container/test/RenderRequestPortletContainerTest.java+40 −0 modified@@ -20,16 +20,20 @@ import com.liferay.portal.kernel.util.HashMapDictionary; import com.liferay.portal.kernel.util.HttpUtil; import com.liferay.portal.kernel.util.MapUtil; +import com.liferay.portal.test.log.CaptureAppender; +import com.liferay.portal.test.log.Log4JLoggerTestUtil; import com.liferay.portal.test.rule.LiferayIntegrationTestRule; import com.liferay.portal.util.test.PortletContainerTestUtil; import com.liferay.portal.util.test.PortletContainerTestUtil.Response; import com.liferay.portlet.PortletURLImpl; +import com.liferay.portlet.SecurityPortletContainerWrapper; import java.io.IOException; import java.io.PrintWriter; import java.util.Collections; import java.util.Dictionary; +import java.util.List; import java.util.Map; import javax.portlet.PortletContext; @@ -45,6 +49,9 @@ import javax.servlet.http.HttpServletRequest; +import org.apache.log4j.Level; +import org.apache.log4j.spi.LoggingEvent; + import org.junit.Assert; import org.junit.ClassRule; import org.junit.Rule; @@ -63,6 +70,39 @@ public class RenderRequestPortletContainerTest public static final AggregateTestRule aggregateTestRule = new LiferayIntegrationTestRule(); + @Test + public void testInvalidPortletId() throws Exception { + HttpServletRequest httpServletRequest = + PortletContainerTestUtil.getHttpServletRequest(group, layout); + + String url = + layout.getRegularURL(httpServletRequest) + + "?p_p_id='\"><script>alert(1)</script>&p_p_lifecycle=0&" + + "p_p_state=exclusive"; + + try (CaptureAppender captureAppender = + Log4JLoggerTestUtil.configureLog4JLogger( + SecurityPortletContainerWrapper.class.getName(), + Level.WARN)) { + + Response response = PortletContainerTestUtil.request(url); + + List<LoggingEvent> loggingEvents = + captureAppender.getLoggingEvents(); + + Assert.assertEquals( + loggingEvents.toString(), 1, loggingEvents.size()); + + LoggingEvent loggingEvent = loggingEvents.get(0); + + Assert.assertEquals( + "Invalid portlet ID '\"><script>alert(1)</script>", + loggingEvent.getMessage()); + + Assert.assertEquals(200, response.getCode()); + } + } + @Test public void testIsAccessGrantedByPortletAuthenticationToken() throws Exception {
modules/apps/static/portal-osgi-web/portal-osgi-web-portlet-container-test/src/testIntegration/java/com/liferay/portal/osgi/web/portlet/container/test/ResourceRequestPortletContainerTest.java+48 −0 modified@@ -20,16 +20,20 @@ import com.liferay.portal.kernel.util.HashMapDictionary; import com.liferay.portal.kernel.util.HttpUtil; import com.liferay.portal.kernel.util.MapUtil; +import com.liferay.portal.test.log.CaptureAppender; +import com.liferay.portal.test.log.Log4JLoggerTestUtil; import com.liferay.portal.test.rule.LiferayIntegrationTestRule; import com.liferay.portal.util.test.PortletContainerTestUtil; import com.liferay.portal.util.test.PortletContainerTestUtil.Response; import com.liferay.portlet.PortletURLImpl; +import com.liferay.portlet.SecurityPortletContainerWrapper; import java.io.IOException; import java.io.PrintWriter; import java.util.Collections; import java.util.Dictionary; +import java.util.List; import java.util.Map; import javax.portlet.PortletContext; @@ -43,6 +47,9 @@ import javax.servlet.http.HttpServletRequest; +import org.apache.log4j.Level; +import org.apache.log4j.spi.LoggingEvent; + import org.junit.Assert; import org.junit.ClassRule; import org.junit.Rule; @@ -61,6 +68,47 @@ public class ResourceRequestPortletContainerTest public static final AggregateTestRule aggregateTestRule = new LiferayIntegrationTestRule(); + @Test + public void testInvalidPortletId() throws Exception { + HttpServletRequest httpServletRequest = + PortletContainerTestUtil.getHttpServletRequest(group, layout); + + String layoutURL = layout.getRegularURL(httpServletRequest); + + String url = + layoutURL + + "?p_p_id='\"><script>alert(1)</script>&p_p_lifecycle=2&"; + + try (CaptureAppender captureAppender = + Log4JLoggerTestUtil.configureLog4JLogger( + SecurityPortletContainerWrapper.class.getName(), + Level.WARN)) { + + Response response = PortletContainerTestUtil.request(url); + + List<LoggingEvent> loggingEvents = + captureAppender.getLoggingEvents(); + + Assert.assertEquals( + loggingEvents.toString(), 2, loggingEvents.size()); + + LoggingEvent loggingEvent = loggingEvents.get(0); + + Assert.assertEquals( + "Invalid portlet ID '\"><script>alert(1)</script>", + loggingEvent.getMessage()); + + loggingEvent = loggingEvents.get(1); + + Assert.assertEquals( + "Reject serveResource for " + layoutURL + + " on '\"><script>alert(1)</script>", + loggingEvent.getMessage()); + + Assert.assertEquals(400, response.getCode()); + } + } + @Test public void testIsAccessGrantedByPortletAuthenticationToken() throws Exception {
portal-impl/test/unit/com/liferay/portal/service/ValidPortletIdTest.java+0 −79 removed@@ -1,79 +0,0 @@ -/** - * Copyright (c) 2000-present Liferay, Inc. All rights reserved. - * - * This library is free software; you can redistribute it and/or modify it under - * the terms of the GNU Lesser General Public License as published by the Free - * Software Foundation; either version 2.1 of the License, or (at your option) - * any later version. - * - * This library is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more - * details. - */ - -package com.liferay.portal.service; - -import com.liferay.portal.kernel.test.CaptureHandler; -import com.liferay.portal.kernel.test.JDKLoggerTestUtil; -import com.liferay.portal.kernel.test.ReflectionTestUtil; -import com.liferay.portal.service.impl.PortletLocalServiceImpl; - -import java.lang.reflect.Method; - -import java.util.List; -import java.util.logging.Level; -import java.util.logging.LogRecord; - -import org.junit.Assert; -import org.junit.Test; - -/** - * @author Matthew Tambara - */ -public class ValidPortletIdTest { - - @Test - public void testIsValidPortletId() throws Exception { - Method method = ReflectionTestUtil.getMethod( - PortletLocalServiceImpl.class, "_checkValidPortletId", - String.class); - - PortletLocalServiceImpl portletLocalServiceImpl = - new PortletLocalServiceImpl(); - - method.invoke(portletLocalServiceImpl, "aaa"); - method.invoke(portletLocalServiceImpl, "AAA"); - method.invoke(portletLocalServiceImpl, "123"); - method.invoke(portletLocalServiceImpl, "aA1"); - method.invoke(portletLocalServiceImpl, "aaa_bbb"); - method.invoke(portletLocalServiceImpl, "aaa#bbb"); - - try (CaptureHandler captureHandler = - JDKLoggerTestUtil.configureJDKLogger( - PortletLocalServiceImpl.class.getName(), Level.WARNING)) { - - try { - method.invoke( - portletLocalServiceImpl, - "2_INSTANCE_'\"><script>alert(1)</script>"); - - Assert.fail(); - } - catch (Exception e) { - } - - List<LogRecord> logRecords = captureHandler.getLogRecords(); - - Assert.assertEquals(logRecords.toString(), 1, logRecords.size()); - - LogRecord logRecord = logRecords.get(0); - - Assert.assertEquals( - logRecord.toString(), - "Invalid portlet ID 2_INSTANCE_'\"><script>alert(1)</script>", - logRecord.getMessage()); - } - } - -} \ No newline at end of file
portal-impl/test/unit/com/liferay/portlet/SecurityPortletContainerWrapperTest.java+51 −0 added@@ -0,0 +1,51 @@ +/** + * Copyright (c) 2000-present Liferay, Inc. All rights reserved. + * + * This library is free software; you can redistribute it and/or modify it under + * the terms of the GNU Lesser General Public License as published by the Free + * Software Foundation; either version 2.1 of the License, or (at your option) + * any later version. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more + * details. + */ + +package com.liferay.portlet; + +import com.liferay.portal.kernel.portlet.PortletContainer; + +import org.junit.Assert; +import org.junit.Test; + +/** + * @author Akos Thurzo + */ +public class SecurityPortletContainerWrapperTest { + + @Test + public void testIsValidPortletId() { + PortletContainer portletContainer = new PortletContainerImpl(); + + SecurityPortletContainerWrapper securityPortletContainerWrapper = + new SecurityPortletContainerWrapper(portletContainer); + + Assert.assertTrue( + securityPortletContainerWrapper.isValidPortletId("aaa")); + Assert.assertTrue( + securityPortletContainerWrapper.isValidPortletId("AAA")); + Assert.assertTrue( + securityPortletContainerWrapper.isValidPortletId("123")); + Assert.assertTrue( + securityPortletContainerWrapper.isValidPortletId("aA1")); + Assert.assertTrue( + securityPortletContainerWrapper.isValidPortletId("aaa_bbb")); + Assert.assertTrue( + securityPortletContainerWrapper.isValidPortletId("aaa#bbb")); + Assert.assertFalse( + securityPortletContainerWrapper.isValidPortletId( + "2_INSTANCE_'\"><script>alert(1)</script>")); + } + +} \ No newline at end of file
6f2bd2569c78LPS-77403 Revert "LPS-72307 Strictly assert the PrincipalException"
1 file changed · +4 −12
portal-impl/test/unit/com/liferay/portal/service/ValidPortletIdTest.java+4 −12 modified@@ -14,13 +14,11 @@ package com.liferay.portal.service; -import com.liferay.portal.kernel.security.auth.PrincipalException; import com.liferay.portal.kernel.test.CaptureHandler; import com.liferay.portal.kernel.test.JDKLoggerTestUtil; import com.liferay.portal.kernel.test.ReflectionTestUtil; import com.liferay.portal.service.impl.PortletLocalServiceImpl; -import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.util.List; @@ -55,20 +53,14 @@ public void testIsValidPortletId() throws Exception { JDKLoggerTestUtil.configureJDKLogger( PortletLocalServiceImpl.class.getName(), Level.WARNING)) { - String portletId = "2_INSTANCE_'\"><script>alert(1)</script>"; - try { - method.invoke(portletLocalServiceImpl, portletId); + method.invoke( + portletLocalServiceImpl, + "2_INSTANCE_'\"><script>alert(1)</script>"); Assert.fail(); } - catch (InvocationTargetException ite) { - Throwable throwable = ite.getCause(); - - Assert.assertSame( - PrincipalException.class, throwable.getClass()); - Assert.assertEquals( - "Invalid portlet ID " + portletId, throwable.getMessage()); + catch (Exception e) { } List<LogRecord> logRecords = captureHandler.getLogRecords();
122b0dd9ca72LPS-72307 Strictly assert the PrincipalException
1 file changed · +12 −4
portal-impl/test/unit/com/liferay/portal/service/ValidPortletIdTest.java+12 −4 modified@@ -14,11 +14,13 @@ package com.liferay.portal.service; +import com.liferay.portal.kernel.security.auth.PrincipalException; import com.liferay.portal.kernel.test.CaptureHandler; import com.liferay.portal.kernel.test.JDKLoggerTestUtil; import com.liferay.portal.kernel.test.ReflectionTestUtil; import com.liferay.portal.service.impl.PortletLocalServiceImpl; +import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.util.List; @@ -53,14 +55,20 @@ public void testIsValidPortletId() throws Exception { JDKLoggerTestUtil.configureJDKLogger( PortletLocalServiceImpl.class.getName(), Level.WARNING)) { + String portletId = "2_INSTANCE_'\"><script>alert(1)</script>"; + try { - method.invoke( - portletLocalServiceImpl, - "2_INSTANCE_'\"><script>alert(1)</script>"); + method.invoke(portletLocalServiceImpl, portletId); Assert.fail(); } - catch (Exception e) { + catch (InvocationTargetException ite) { + Throwable throwable = ite.getCause(); + + Assert.assertSame( + PrincipalException.class, throwable.getClass()); + Assert.assertEquals( + "Invalid portlet ID " + portletId, throwable.getMessage()); } List<LogRecord> logRecords = captureHandler.getLogRecords();
bbb8bc90c2d1LPS-72307 Migrate test
4 files changed · +79 −139
modules/apps/static/portal-osgi-web/portal-osgi-web-portlet-container-test/src/testIntegration/java/com/liferay/portal/osgi/web/portlet/container/test/RenderRequestPortletContainerTest.java+0 −40 modified@@ -20,20 +20,16 @@ import com.liferay.portal.kernel.util.HashMapDictionary; import com.liferay.portal.kernel.util.HttpUtil; import com.liferay.portal.kernel.util.MapUtil; -import com.liferay.portal.test.log.CaptureAppender; -import com.liferay.portal.test.log.Log4JLoggerTestUtil; import com.liferay.portal.test.rule.LiferayIntegrationTestRule; import com.liferay.portal.util.test.PortletContainerTestUtil; import com.liferay.portal.util.test.PortletContainerTestUtil.Response; import com.liferay.portlet.PortletURLImpl; -import com.liferay.portlet.SecurityPortletContainerWrapper; import java.io.IOException; import java.io.PrintWriter; import java.util.Collections; import java.util.Dictionary; -import java.util.List; import java.util.Map; import javax.portlet.PortletContext; @@ -49,9 +45,6 @@ import javax.servlet.http.HttpServletRequest; -import org.apache.log4j.Level; -import org.apache.log4j.spi.LoggingEvent; - import org.junit.Assert; import org.junit.ClassRule; import org.junit.Rule; @@ -70,39 +63,6 @@ public class RenderRequestPortletContainerTest public static final AggregateTestRule aggregateTestRule = new LiferayIntegrationTestRule(); - @Test - public void testInvalidPortletId() throws Exception { - HttpServletRequest httpServletRequest = - PortletContainerTestUtil.getHttpServletRequest(group, layout); - - String url = - layout.getRegularURL(httpServletRequest) + - "?p_p_id='\"><script>alert(1)</script>&p_p_lifecycle=0&" + - "p_p_state=exclusive"; - - try (CaptureAppender captureAppender = - Log4JLoggerTestUtil.configureLog4JLogger( - SecurityPortletContainerWrapper.class.getName(), - Level.WARN)) { - - Response response = PortletContainerTestUtil.request(url); - - List<LoggingEvent> loggingEvents = - captureAppender.getLoggingEvents(); - - Assert.assertEquals( - loggingEvents.toString(), 1, loggingEvents.size()); - - LoggingEvent loggingEvent = loggingEvents.get(0); - - Assert.assertEquals( - "Invalid portlet ID '\"><script>alert(1)</script>", - loggingEvent.getMessage()); - - Assert.assertEquals(200, response.getCode()); - } - } - @Test public void testIsAccessGrantedByPortletAuthenticationToken() throws Exception {
modules/apps/static/portal-osgi-web/portal-osgi-web-portlet-container-test/src/testIntegration/java/com/liferay/portal/osgi/web/portlet/container/test/ResourceRequestPortletContainerTest.java+0 −48 modified@@ -20,20 +20,16 @@ import com.liferay.portal.kernel.util.HashMapDictionary; import com.liferay.portal.kernel.util.HttpUtil; import com.liferay.portal.kernel.util.MapUtil; -import com.liferay.portal.test.log.CaptureAppender; -import com.liferay.portal.test.log.Log4JLoggerTestUtil; import com.liferay.portal.test.rule.LiferayIntegrationTestRule; import com.liferay.portal.util.test.PortletContainerTestUtil; import com.liferay.portal.util.test.PortletContainerTestUtil.Response; import com.liferay.portlet.PortletURLImpl; -import com.liferay.portlet.SecurityPortletContainerWrapper; import java.io.IOException; import java.io.PrintWriter; import java.util.Collections; import java.util.Dictionary; -import java.util.List; import java.util.Map; import javax.portlet.PortletContext; @@ -47,9 +43,6 @@ import javax.servlet.http.HttpServletRequest; -import org.apache.log4j.Level; -import org.apache.log4j.spi.LoggingEvent; - import org.junit.Assert; import org.junit.ClassRule; import org.junit.Rule; @@ -68,47 +61,6 @@ public class ResourceRequestPortletContainerTest public static final AggregateTestRule aggregateTestRule = new LiferayIntegrationTestRule(); - @Test - public void testInvalidPortletId() throws Exception { - HttpServletRequest httpServletRequest = - PortletContainerTestUtil.getHttpServletRequest(group, layout); - - String layoutURL = layout.getRegularURL(httpServletRequest); - - String url = - layoutURL + - "?p_p_id='\"><script>alert(1)</script>&p_p_lifecycle=2&"; - - try (CaptureAppender captureAppender = - Log4JLoggerTestUtil.configureLog4JLogger( - SecurityPortletContainerWrapper.class.getName(), - Level.WARN)) { - - Response response = PortletContainerTestUtil.request(url); - - List<LoggingEvent> loggingEvents = - captureAppender.getLoggingEvents(); - - Assert.assertEquals( - loggingEvents.toString(), 2, loggingEvents.size()); - - LoggingEvent loggingEvent = loggingEvents.get(0); - - Assert.assertEquals( - "Invalid portlet ID '\"><script>alert(1)</script>", - loggingEvent.getMessage()); - - loggingEvent = loggingEvents.get(1); - - Assert.assertEquals( - "Reject serveResource for " + layoutURL + - " on '\"><script>alert(1)</script>", - loggingEvent.getMessage()); - - Assert.assertEquals(400, response.getCode()); - } - } - @Test public void testIsAccessGrantedByPortletAuthenticationToken() throws Exception {
portal-impl/test/unit/com/liferay/portal/service/ValidPortletIdTest.java+79 −0 added@@ -0,0 +1,79 @@ +/** + * Copyright (c) 2000-present Liferay, Inc. All rights reserved. + * + * This library is free software; you can redistribute it and/or modify it under + * the terms of the GNU Lesser General Public License as published by the Free + * Software Foundation; either version 2.1 of the License, or (at your option) + * any later version. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more + * details. + */ + +package com.liferay.portal.service; + +import com.liferay.portal.kernel.test.CaptureHandler; +import com.liferay.portal.kernel.test.JDKLoggerTestUtil; +import com.liferay.portal.kernel.test.ReflectionTestUtil; +import com.liferay.portal.service.impl.PortletLocalServiceImpl; + +import java.lang.reflect.Method; + +import java.util.List; +import java.util.logging.Level; +import java.util.logging.LogRecord; + +import org.junit.Assert; +import org.junit.Test; + +/** + * @author Matthew Tambara + */ +public class ValidPortletIdTest { + + @Test + public void testIsValidPortletId() throws Exception { + Method method = ReflectionTestUtil.getMethod( + PortletLocalServiceImpl.class, "_checkValidPortletId", + String.class); + + PortletLocalServiceImpl portletLocalServiceImpl = + new PortletLocalServiceImpl(); + + method.invoke(portletLocalServiceImpl, "aaa"); + method.invoke(portletLocalServiceImpl, "AAA"); + method.invoke(portletLocalServiceImpl, "123"); + method.invoke(portletLocalServiceImpl, "aA1"); + method.invoke(portletLocalServiceImpl, "aaa_bbb"); + method.invoke(portletLocalServiceImpl, "aaa#bbb"); + + try (CaptureHandler captureHandler = + JDKLoggerTestUtil.configureJDKLogger( + PortletLocalServiceImpl.class.getName(), Level.WARNING)) { + + try { + method.invoke( + portletLocalServiceImpl, + "2_INSTANCE_'\"><script>alert(1)</script>"); + + Assert.fail(); + } + catch (Exception e) { + } + + List<LogRecord> logRecords = captureHandler.getLogRecords(); + + Assert.assertEquals(logRecords.toString(), 1, logRecords.size()); + + LogRecord logRecord = logRecords.get(0); + + Assert.assertEquals( + logRecord.toString(), + "Invalid portlet ID 2_INSTANCE_'\"><script>alert(1)</script>", + logRecord.getMessage()); + } + } + +} \ No newline at end of file
portal-impl/test/unit/com/liferay/portlet/SecurityPortletContainerWrapperTest.java+0 −51 removed@@ -1,51 +0,0 @@ -/** - * Copyright (c) 2000-present Liferay, Inc. All rights reserved. - * - * This library is free software; you can redistribute it and/or modify it under - * the terms of the GNU Lesser General Public License as published by the Free - * Software Foundation; either version 2.1 of the License, or (at your option) - * any later version. - * - * This library is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more - * details. - */ - -package com.liferay.portlet; - -import com.liferay.portal.kernel.portlet.PortletContainer; - -import org.junit.Assert; -import org.junit.Test; - -/** - * @author Akos Thurzo - */ -public class SecurityPortletContainerWrapperTest { - - @Test - public void testIsValidPortletId() { - PortletContainer portletContainer = new PortletContainerImpl(); - - SecurityPortletContainerWrapper securityPortletContainerWrapper = - new SecurityPortletContainerWrapper(portletContainer); - - Assert.assertTrue( - securityPortletContainerWrapper.isValidPortletId("aaa")); - Assert.assertTrue( - securityPortletContainerWrapper.isValidPortletId("AAA")); - Assert.assertTrue( - securityPortletContainerWrapper.isValidPortletId("123")); - Assert.assertTrue( - securityPortletContainerWrapper.isValidPortletId("aA1")); - Assert.assertTrue( - securityPortletContainerWrapper.isValidPortletId("aaa_bbb")); - Assert.assertTrue( - securityPortletContainerWrapper.isValidPortletId("aaa#bbb")); - Assert.assertFalse( - securityPortletContainerWrapper.isValidPortletId( - "2_INSTANCE_'\"><script>alert(1)</script>")); - } - -} \ No newline at end of file
f30571c35025LPS-72307 Move portletId validation to portlet deploy
2 files changed · +39 −9
portal-impl/src/com/liferay/portal/service/impl/PortletLocalServiceImpl.java+35 −0 modified@@ -58,6 +58,7 @@ import com.liferay.portal.kernel.scheduler.TimeUnit; import com.liferay.portal.kernel.scheduler.Trigger; import com.liferay.portal.kernel.scheduler.TriggerFactoryUtil; +import com.liferay.portal.kernel.security.auth.PrincipalException; import com.liferay.portal.kernel.security.permission.ActionKeys; import com.liferay.portal.kernel.security.permission.ResourceActionsUtil; import com.liferay.portal.kernel.service.permission.PortletPermissionUtil; @@ -282,6 +283,8 @@ public void deletePortlets(long companyId, String[] portletIds, long plid) @Override @Skip public void deployPortlet(Portlet portlet) throws Exception { + _checkValidPortletId(portlet.getPortletId()); + PortletApp portletApp = portlet.getPortletApp(); _portletApps.put(portletApp.getServletContextName(), portletApp); @@ -322,6 +325,8 @@ public Portlet deployRemotePortlet( Portlet portlet, String[] categoryNames, boolean eagerDestroy) throws PortalException { + _checkValidPortletId(portlet.getPortletId()); + _portletsMap.put(portlet.getPortletId(), portlet); if (eagerDestroy) { @@ -2619,6 +2624,36 @@ protected Portlet updatePortlet( return updatePortlet(companyId, portletId, roles, active); } + private void _checkValidPortletId(String portletId) + throws PrincipalException { + + for (int i = 0; i < portletId.length(); i++) { + char c = portletId.charAt(i); + + if ((c >= CharPool.LOWER_CASE_A) && (c <= CharPool.LOWER_CASE_Z)) { + continue; + } + + if ((c >= CharPool.UPPER_CASE_A) && (c <= CharPool.UPPER_CASE_Z)) { + continue; + } + + if ((c >= CharPool.NUMBER_0) && (c <= CharPool.NUMBER_9)) { + continue; + } + + if ((c == CharPool.POUND) || (c == CharPool.UNDERLINE)) { + continue; + } + + if (_log.isWarnEnabled()) { + _log.warn("Invalid portlet ID " + portletId); + } + + throw new PrincipalException("Invalid portlet ID " + portletId); + } + } + private static final Log _log = LogFactoryUtil.getLog( PortletLocalServiceImpl.class);
portal-impl/src/com/liferay/portlet/SecurityPortletContainerWrapper.java+4 −9 modified@@ -175,15 +175,6 @@ protected void check(HttpServletRequest request, Portlet portlet) return; } - if (!isValidPortletId(portlet.getPortletId())) { - if (_log.isWarnEnabled()) { - _log.warn("Invalid portlet ID " + portlet.getPortletId()); - } - - throw new PrincipalException( - "Invalid portlet ID " + portlet.getPortletId()); - } - if (portlet.isUndeployedPortlet()) { return; } @@ -306,6 +297,10 @@ protected HttpServletRequest getOwnerLayoutRequestWrapper( return tempAttributesServletRequest; } + /** + * @deprecated As of 7.0.0, with no direct replacement + */ + @Deprecated protected boolean isValidPortletId(String portletId) { for (int i = 0; i < portletId.length(); i++) { char c = portletId.charAt(i);
89c4514fc7d5LPS-77403 Revert "LPS-72307 Move portletId validation to portlet deploy"
2 files changed · +9 −39
portal-impl/src/com/liferay/portal/service/impl/PortletLocalServiceImpl.java+0 −35 modified@@ -61,7 +61,6 @@ import com.liferay.portal.kernel.scheduler.TimeUnit; import com.liferay.portal.kernel.scheduler.Trigger; import com.liferay.portal.kernel.scheduler.TriggerFactoryUtil; -import com.liferay.portal.kernel.security.auth.PrincipalException; import com.liferay.portal.kernel.security.permission.ActionKeys; import com.liferay.portal.kernel.security.permission.ResourceActionsUtil; import com.liferay.portal.kernel.service.permission.PortletPermissionUtil; @@ -288,8 +287,6 @@ public void deletePortlets(long companyId, String[] portletIds, long plid) @Override @Skip public void deployPortlet(Portlet portlet) throws Exception { - _checkValidPortletId(portlet.getPortletId()); - PortletApp portletApp = portlet.getPortletApp(); _portletApps.put(portletApp.getServletContextName(), portletApp); @@ -330,8 +327,6 @@ public Portlet deployRemotePortlet( Portlet portlet, String[] categoryNames, boolean eagerDestroy) throws PortalException { - _checkValidPortletId(portlet.getPortletId()); - ResourceActionsUtil.check(portlet); _portletsMap.put(portlet.getPortletId(), portlet); @@ -2733,36 +2728,6 @@ protected Portlet updatePortlet( return updatePortlet(companyId, portletId, roles, active); } - private void _checkValidPortletId(String portletId) - throws PrincipalException { - - for (int i = 0; i < portletId.length(); i++) { - char c = portletId.charAt(i); - - if ((c >= CharPool.LOWER_CASE_A) && (c <= CharPool.LOWER_CASE_Z)) { - continue; - } - - if ((c >= CharPool.UPPER_CASE_A) && (c <= CharPool.UPPER_CASE_Z)) { - continue; - } - - if ((c >= CharPool.NUMBER_0) && (c <= CharPool.NUMBER_9)) { - continue; - } - - if ((c == CharPool.POUND) || (c == CharPool.UNDERLINE)) { - continue; - } - - if (_log.isWarnEnabled()) { - _log.warn("Invalid portlet ID " + portletId); - } - - throw new PrincipalException("Invalid portlet ID " + portletId); - } - } - private boolean _isCustomPortletMode(String portletModeName) { return PortalUtil.isCustomPortletMode(new PortletMode(portletModeName)); }
portal-impl/src/com/liferay/portlet/SecurityPortletContainerWrapper.java+9 −4 modified@@ -190,6 +190,15 @@ protected void check(HttpServletRequest request, Portlet portlet) return; } + if (!isValidPortletId(portlet.getPortletId())) { + if (_log.isWarnEnabled()) { + _log.warn("Invalid portlet ID " + portlet.getPortletId()); + } + + throw new PrincipalException( + "Invalid portlet ID " + portlet.getPortletId()); + } + if (portlet.isUndeployedPortlet()) { return; } @@ -312,10 +321,6 @@ protected HttpServletRequest getOwnerLayoutRequestWrapper( return tempAttributesServletRequest; } - /** - * @deprecated As of 7.0.0, with no direct replacement - */ - @Deprecated protected boolean isValidPortletId(String portletId) { for (int i = 0; i < portletId.length(); i++) { char c = portletId.charAt(i);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilitiesnvdIssue TrackingPatchVendor Advisory
- github.com/advisories/GHSA-cvrj-cw2f-25qwghsaADVISORY
- issues.liferay.com/browse/LPS-72307nvdIssue TrackingVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-12645ghsaADVISORY
- github.com/liferay/liferay-portal/commit/122b0dd9ca729a4df0f06fe01b3648755c5048f9ghsaWEB
- github.com/liferay/liferay-portal/commit/6f2bd2569c78677b9eeab83ae42d3610a0e07b13ghsaWEB
- github.com/liferay/liferay-portal/commit/89c4514fc7d55a618c01483b987219298e3a4d36ghsaWEB
- github.com/liferay/liferay-portal/commit/bbb8bc90c2d11710ff09b7a36970510997b70c59ghsaWEB
- github.com/liferay/liferay-portal/commit/c6d7707c2e9872c7d5197001f292407ca7cbaf2eghsaWEB
- github.com/liferay/liferay-portal/commit/f30571c3502551945ba7497e8d80e8b2295f1026ghsaWEB
- web.archive.org/web/20201001000000*/https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilitiesghsaWEB
News mentions
0No linked articles in our index yet.