Yes, I know. I didn't keep my previous promise to quickly follow up with the next episode. Thus, I'm not promising again, only revealing that I'm planning to be quicker in future.
podcast-logoThis is another episode recorded at the previous Liferay Retreat. I sat together with Samuel Kong, GM of the chinese office and member of Liferay's security team.
As I've been carrying this recording around for quite some while, note that there have been some changes during the last year. First and foremost, we have a new community security team, which was not around at the time of the recording. I'm planning to talk to someone from that team soon (consider yourself warned if you're on that team)
Some of the topics you'll find in this episode
How to file a security issue - thankfully he is consistent with what Cynthia and Michael have reported: go to issues.liferay.com, file your issue under the component "security", optionally with private visibility. If you've already done so, please try if your issue is reproducible in the latest available version - your issue might already have been reported and fixed.
OWASP (The Open Webapplication security project) site is a good resource for learning about security in Webapplications in general, independent of Liferay.
The three tools that Liferay has built-in, helping you to prevent security issues:
Redirects: Some Properties, configuring the list of domain names and IPs, that Liferay is allowed to redirect to
CSRF: Auth-Token
XSS: The various escape-methods in com.liferay.portal.kernel.util.HtmlUtil - There are so many because the correct escaping depends on the context for which one escapes some HTML-Text. Also, the AlloyUI Taglibs help a lot when you're displaying user-content in forms. And also: The "escapedModel" that you can get from ServiceBuilder.
Bonus: SqlInjection and its prevention through ServiceBuilder.
When to escape HTML text in order to be most flexible.
Sidenote: A call to extract and read the full portal.properties: A long, boring and interesting read. Oh, and the dtds for xml files
You'll find this episode - and make sure that you don't miss any of the future episodes - by subscribing to the RSS feed, on itunes or with your podcatcher of choice - you'll find all the options on www.liferay.com/radio. And if you want to get notified when the next episode is out, follow @RadioLiferay
