uPortal developers,
Our security vulnerability handling process necessitates some
less-public skulking about preparing fixes for security vulnerabilities
in order to release fixes and a patched product release simultaneously
with disclosure of the vulnerability.
uPortal 4.0.13.1 is such a release and it contains fixes developed with
such skulking.
http://www.jasig.org/uportal/download/uportal-4-0-13-1
Now that the release is released, the local mitigation instructions are
posted, and the fixes are in source control, however, we have an
opportunity to operate more transparently.
So. This is a thread for discussing the fixes for these
vulnerabilities, what we can learn from them, and how to go forward
continuing to build a better uportal.
My two cents: enforcing permissions exclusively too far forward in the
architecture (towards the UI) creates more opportunity to forget to
enforce the permission or to overlook all the interesting paths whereby
a user might exercise functionality that ought to be permission-gated.
By refactoring towards architectures where permissions are enforced
further back (in a service layer), our code can be less prone to
overlooked needs to apply permissions checks and permission checking in
the UI can be just to inform good user experiences.
Hypothetical example drawing on the experience of these CVEs: by all
means, don't show the user links to portlets he or she is not permitted
to manage, since links I can't actually use are really annoying -- but
make that a secondary, bonus, user-experience level consideration and
enforce MANAGE permissions over management of portlet registrations in a
PortletManagementService and ensure that code manipulating portlet
registrations exclusively uses the PortletManagementService to do this
(rather than, say, directly accessing registries and DAOs and striving
to remember to apply the appropriate permissions checks.)
I look forward to discussing these and other next steps at the Open
Apereo conference and here on uportal-dev@ .
Kind regards,
Andrew
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/uportal-dev
