Blogs

A short blog post for today...

I haven't apparently been blogging much in the last two months.

Except that's not really true. I have 5 blog posts that have been waiting to be published that I can't publish.

I've hinted about this already, that I have not been able to add images to my blog posts since an update was applied recently.

We have been working with Liferay Support trying to find out what happened. It occurred just after an update was applied, so at first we thought maybe the upgrade failed, but we couldn't reproduce it when trying to upgrade locally.

We then thought maybe it was a bug that was introduced, but we couldn't replicate it there, either.

Then one of the Support folks asked if we were aware of https://liferay.atlassian.net/browse/LPD-2816, an issue released as part of DXP 2024.Q1 and CE GA 112...

LPD-2816 is a security vulnerability ticket, and before I talk about it, let's cover what happens when you create a blog...

Obviously there is a BlogEntry that goes into a database, but while editing the content, you can upload files and images that might be part of the blog, those are loaded to a special hidden folder within Docs and Media.

Now we also have workflow enabled. We need it, it helps to prevent "spam blogs" from appearing here on the site, as if you need yet another crypto investment or male improvement pill... We review each submission, approving the good ones and rejecting the spam.

Now, back to the security issue...

If I'm a bad actor, I can write a blog post, but I can also upload files and images, and those might be offensive and/or malicious...

When I submit my blog post, it gets reviewed and rejected. Unfortunately, though, the images and files that I've uploaded don't. They're left in the hidden folder. They don't hurt anyone, at least until someone unknowingly picks one of the images or files for a different blog that does get approved...

So, LPD-2816 introduces a change to ban image/doc uploads into the hidden folder when workflow is enabled for blogs.

The idea is that I should upload my images/docs directly into Docs & Media (where they independently go through a review and virus scanning, etc), then I can select and use them in my blog which also would continue to go through a separate review.

For most corporate sites, this isn't going to be a problem (well, other than the fact that I don't believe this was documented anywhere).

In fact, it is a better process to get those docs and images to go through a review process independently to ensure they conform to business guidelines, brand requirements, copyright checks, etc.

For our community site, though, it is not going to work. We don't want to give access to the general public for uploads to Docs and Media for various reasons, so we're working now with the Engineering team to put this change behind a release feature flag so it can be disabled in this environment.

So, now for the disclosure: