Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-154678

headless API could be using the wrong Service to create portlet attachments

Details

    • Bug
    • Status: Verified
    • Resolution: Unresolved
    • 7.2.X, 7.3.X, Master
    • None
    • None
    • 3
    • Security

    Description

      In a code analysis (for a different issue) I saw that BlogPostingImageResourceImpl is using DLApp instead of PortletFileRepository service (as we do in BlogsEntryLocalServiceImpl).

      After a deeper analysis we've seen that this is not critical (because in blogs we doesn't force check the parent entity permissions), but is convenient to use the right Service.

      I've also check more headless use cases related with Attachments and I've found a case that could be a security risk:

      StructuredContentResourceImpl uses DLApp on JournalArticleContent creation, and in some cases it could be wrong:

      If you check com.liferay.journal.service.impl.JournalArticleLocalServiceImpl#_addArticleAttachmentFileEntry you'll see that in this method we are using:

      PortletFileRepositoryUtil.addPortletFileEntry

      In this case this is dangerous because in the service we pass the className and the classPK of the article and we are checking its permissions when rendering the image, but if we create this field using DLApp this fields are empty.

      If it happens we could find that users without view permission for the article could see the attachment, and this is a security risk.

       

      Attachments

        Activity

          People

            support-lep@liferay.com SE Support
            roberto.diaz Roberto Díaz
            Kiyoshi Lee Kiyoshi Lee
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              17 weeks, 3 days ago

              Packages

                Version Package