Details

    • Similar Issues:
      Show 5 results 

      Description

      Maybe it's not important issue, but can be dangerous when used inappropriately.

      WebServerServlet displays all files, including those who aren't linked from the web. If user doesn't have document library portlet on the pages and doesn't directly refer the documents, he might get wrong feeling of safety (for example documents from public folder which is not accessible through any link), in other words: security by obscurity.

      I'm not sure if all files should be accessible from http://www.liferay.com/documents/guest/, for example http://www.liferay.com/documents/guest/Training%20Documents/Course%20Guides/ ?

      User should be aware of this functionality or it should be disabled by default.

        Activity

        Hide
        Amos Fong added a comment -

        Tomas,

        Thanks for the heads up. In terms of Liferay.com, we are aware of the servlet and only public files are accessible. The file you mentioned is the course descriptions which are publicly linked (http://www.liferay.com/services/training/topics/developer-training).

        In terms of the Liferay portal side evaluation, I'll leave it to someone else more qualified.

        Show
        Amos Fong added a comment - Tomas, Thanks for the heads up. In terms of Liferay.com, we are aware of the servlet and only public files are accessible. The file you mentioned is the course descriptions which are publicly linked ( http://www.liferay.com/services/training/topics/developer-training ). In terms of the Liferay portal side evaluation, I'll leave it to someone else more qualified.
        Hide
        Tammy Fong (Inactive) added a comment -

        Hi Tomas,
        Thank you for your report. I was able to reproduce the situation. Guests are able to view public files and folders (those with guest view permission) by navigating to those type of links. Uploaded files and added folders by default can be viewed by guests. It may be a security issue if users are not aware of this function; i.e. guests can see every public file/folder in the documents and media portlet regardless it existing on pages or not. I will update this ticket to let developers review this. These were my steps:

        1. Navigate to Control Panel> Documents and Media portlet
        2. At Documents Home,
        a. add folder with guest view
        b. add folder without guest view
        c. add file with guest view
        d. add file without guest view
        3. As guest, navigate to /documents/guest/

        Guests are able to see folders and files with view permission.

        Show
        Tammy Fong (Inactive) added a comment - Hi Tomas, Thank you for your report. I was able to reproduce the situation. Guests are able to view public files and folders (those with guest view permission) by navigating to those type of links. Uploaded files and added folders by default can be viewed by guests. It may be a security issue if users are not aware of this function; i.e. guests can see every public file/folder in the documents and media portlet regardless it existing on pages or not. I will update this ticket to let developers review this. These were my steps: 1. Navigate to Control Panel> Documents and Media portlet 2. At Documents Home, a. add folder with guest view b. add folder without guest view c. add file with guest view d. add file without guest view 3. As guest, navigate to /documents/guest/ Guests are able to see folders and files with view permission.
        Hide
        Samuel Kong added a comment -

        Removing security component because there's no security issue here.
        Also, removing ticket from the current sprint.

        Show
        Samuel Kong added a comment - Removing security component because there's no security issue here. Also, removing ticket from the current sprint.
        Hide
        Mika Koivisto added a comment -

        This is a security issue just like Tomas reported. It's fixed by LPS-22600 by making indexing configurable and it's by default turned off.

        Show
        Mika Koivisto added a comment - This is a security issue just like Tomas reported. It's fixed by LPS-22600 by making indexing configurable and it's by default turned off.
        Hide
        Tomáš Polešovský added a comment -

        Thank you Mika.

        Show
        Tomáš Polešovský added a comment - Thank you Mika.

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since last comment:
              3 years, 42 weeks, 2 days ago

              Development

                Structure Helper Panel