[LPS-99122] NPE throws when visiting malicious URL - Liferay Issues

XML

Word

Printable

Details

Type: Regression Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 7.2.X, Master
Fix Version/s: 7.0.0 DXP FP87, 7.0.10.12 DXP SP12, 7.0.X, 7.1.10 DXP FP13, 7.1.X, 7.2.10 DXP FP2, 7.2.10.1 DXP SP1, 7.2.X, 7.2.1 CE GA2, Master
Component/s: Portal Services
Labels:

Branch Version/s:

7.2.x, 7.1.x, 7.0.x
Backported to Branch:

Committed
Fix Priority:
4
Last Working Version:

7.2.10 DXP GA1
Git Pull Request:
https://github.com/brianchandotcom/liferay-portal/pull/76770

Description

Steps to reproduce:

Visit the following malicious URL

Expected Result: This portlet could not be found. Please redeploy it or remove it from the page. message displays and no error throws.

Actual Result: This portlet could not be found. Please redeploy it or remove it from the page. message dislays but NPE throws and details as following

2019-08-01 03:09:15.516 ERROR [http-nio-8080-exec-2][IncludeTag:128] Current URL /group/control_panel/manage?p_p_id=132&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_132_struts_action=%2Fplugins_admin%2Fedit_plugin&_132_pluginId=116&_132_pluginType=portlet&_132_title=Activities&_132_moduleId=%3Cscript%3Ealert(%22xss%22);%3C/script%3E&_2_backURL=%22%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E generates exception: null
java.lang.NullPointerException
        at com.liferay.portal.model.impl.PortletImpl.getControlPanelEntryInstance(PortletImpl.java:772)
        at com.liferay.portal.service.permission.PortletPermissionImpl.hasControlPanelAccessPermission(PortletPermissionImpl.java:538)
        at com.liferay.portal.kernel.service.permission.PortletPermissionUtil.hasControlPanelAccessPermission(PortletPermissionUtil.java:311)
        at com.liferay.layout.type.controller.control.panel.internal.model.ControlPanelLayoutTypeAccessPolicy.checkAccessAllowedToPortlet(ControlPanelLayoutTypeAccessPolicy.java:58)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at com.liferay.portal.servlet.DirectRequestDispatcher.include(DirectRequestDispatcher.java:64)
        at com.liferay.portal.servlet.DirectRequestDispatcherFactoryImpl$IndirectRequestDispatcher.include(DirectRequestDispatcherFactoryImpl.java:199)
        at com.liferay.portal.servlet.ClassLoaderRequestDispatcherWrapper.doDispatch(ClassLoaderRequestDispatcherWrapper.java:79)
        at com.liferay.portal.servlet.ClassLoaderRequestDispatcherWrapper.include(ClassLoaderRequestDispatcherWrapper.java:53)
        at com.liferay.taglib.util.IncludeTag.includePage(IncludeTag.java:398)
        at com.liferay.taglib.util.IncludeTag.include(IncludeTag.java:374)
        at com.liferay.taglib.util.IncludeTag.doInclude(IncludeTag.java:217)
        at com.liferay.taglib.util.IncludeTag.doEndTag(IncludeTag.java:88)
        at freemarker.ext.jsp.TagTransformModel$TagWriter.endEvaluation(TagTransformModel.java:400)
        at freemarker.ext.jsp.TagTransformModel$TagWriter.afterBody(TagTransformModel.java:388)
        at freemarker.core.Environment.visitAndTransform(Environment.java:427)
        at freemarker.core.UnifiedCall.accept(UnifiedCall.java:107)
        at freemarker.core.Environment.visit(Environment.java:324)
        at freemarker.core.MixedContent.accept(MixedContent.java:54)

Attachments

Issue Links

is caused by

LPS-98789 IllegalStateException is thrown when accessing a page with a WAB using Spring MVC and while simultaneously re-deploying the same WAB (cont.)

Closed

Activity

People

Assignee:

Linda Sui

Reporter:

Linda Sui

Participants of an Issue:

Linda Sui

Recent user:

Jason Pince

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

31/Jul/19 11:27 PM

Updated:

13/Nov/19 3:08 PM

Resolved:

08/Aug/19 9:54 AM

Days since last comment:

28 weeks ago

Packages

Version	Package
7.0.0 DXP FP87
7.0.10.12 DXP SP12
7.0.X
7.1.10 DXP FP13
7.1.X
7.2.10 DXP FP2
7.2.10.1 DXP SP1
7.2.X
7.2.1 CE GA2
Master