Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
5.2 EE SP1 (5.2.5), 5.2 EE SP2 (5.2.6), 5.2 EE SP3 (5.2.7) , 5.2 EE SP4 (5.2.8) , 5.2 EE SP5 (5.2.9) , 6.0 EE (6.0.10), 6.0 EE SP1 (6.0.11), 6.0 EE SP2 (6.0.12), 6.1 EE GA1 (6.1.10), 6.1 EE GA2 (6.1.20), 6.1 EE GA3 (6.1.30), 6.2 EE GA1 (6.2.10)
Description
6.2 EE, 6.1 EE, 6.0 EE: The following portal properties have been added:
#
# Provide a list of fully qualified class names allowed to be serialized and
# deserialized during an export/import and staging process. This list can be
# empty since the portal default entities are being added automatically.
# This property only takes effect when the property
# "staging.xstream.security.enabled" is set to true.
#
staging.xstream.class.whitelist=
#
# Set this to true to enable checking XStream class serialization security
# permissions. See "staging.xstream.class.whitelist" property for the class
# whitelist.
#
staging.xstream.security.enabled=true
Important! Developers of custom portlets that support export-import must enlist their classes either in portal-ext.properties or in the given plugin by creating a portal.properties file with the proper settings and a liferay-hook.xml that contains a <portal-properties> element to let the deploy framework pick-up and merge the property configurations with the default ones.
6.1 EE GA2, 6.1 EE GA1 and 6.0 EE SP2
This fix also incorporates the patch for LSV-99.
See also https://web.liferay.com/group/customer/products/portal/security-vulnerability/lsv-175