Liferay 5.2.3 javascript injection vulnerability

written by Marco Ferretti on September 27, 2011, at 04:43 PM

en it

According to liferay's Jira LPS-5545 is still open and affects liferay 5.2.3 .

I tested the above vulnerability onto Liferay 6 and it looks like this problem was fixed. I looked at the code and what it does ... and it came out that everything you need to prevent this issue is already there in L5 too.

The short path

simply use unix patch to apply this patch ( ), recompile and generate portal-impl.jar and live happy.

What it does

The patch checks the language id parameter against a white list of languages (namely _localesMap and _charEncodings ) that are already there; we slightly modify the constructor in order to make sure the maps are filled :

        private LanguageImpl() {
                String[] localesArray = PropsValues.LOCALES;

                _locales = new Locale[localesArray.length];
                _localesSet = new HashSet<Locale>(localesArray.length);
                _localesMap = new HashMap<String, Locale>(localesArray.length);
                _charEncodings = new HashMap<String, String>();

                for (int i = 0; i < localesArray.length; i++) {
                        String languageId = localesArray[i];

                        int pos = languageId.indexOf(StringPool.UNDERLINE);

                        String language = languageId.substring(0, pos);
                        //String country = languageId.substring(pos + 1);

                        Locale locale = LocaleUtil.fromLanguageId(languageId);

                        _charEncodings.put(locale.toString(), StringPool.UTF8);                 // backport of white list of language ids

                        _locales[i] = locale;
                        if (!_localesMap.containsKey(language)) {//backport of white list of language ids
                                _localesMap.put(language, locale);
                        //_localesMap.put(language, locale);//backport of white list of language ids
                        _charEncodings.put(locale.toString(), StringPool.UTF8);


and add the check

if (_localesMap.containsKey(languageId) || _charEncodings.containsKey(languageId)) {// backport of white list of language ids


public String getLanguageId(HttpServletRequest request)

just before returning the language id :

        public String getLanguageId(HttpServletRequest request) {
                String languageId = ParamUtil.getString(request, "languageId");

                if (Validator.isNotNull(languageId)) {
                        if (_localesMap.containsKey(languageId) || _charEncodings.containsKey(languageId)) {// backport of white list of language ids
                                return languageId;

                Locale locale = PortalUtil.getLocale(request);

                return getLanguageId(locale);

Happy patching folks !