Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-26113

Spoofing p_p_state gives extensive error logs, but no error to user

    Details

    • Epic/Theme:
    • Fix Priority:
      2
    • Where was the bug?:
      Java

      Description

      During a security audit, I see a lot of these in the logs.

      javax.portlet.PortletModeException: view36493785' or 1=2--
      at com.liferay.portlet.StateAwareResponseImpl.setPortletMode(StateAwareResponseImpl.java:142)
      at com.liferay.portlet.StateAwareResponseImpl.init(StateAwareResponseImpl.java:280)
      at com.liferay.portlet.ActionResponseFactory.create(ActionResponseFactory.java:3

      After talking to Ray Auge, he figured it's coming from here:

      LayoutAction

      lines ~763

      WindowState windowState = WindowStateFactory.getWindowState(
      ParamUtil.getString(request, "p_p_state"));

      773

      PortletMode portletMode = PortletModeFactory.getPortletMode(
      ParamUtil.getString(request, "p_p_mode"));

      private WindowState _getWindowState(String name) {
      WindowState windowState = _windowStates.get(name);

      if (windowState == null)

      { windowState = new WindowState(name); }

      return windowState;
      }

      please just make it 500 error and give a clean exception in the log, hopefully including the full url

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                7 years, 35 weeks, 5 days ago

                Packages

                Version Package
                --Sprint 11/12
                6.2.0 CE M2