Issue
- I want to disable Groovy Scripts from being executed in Control Panel's Server Administration panel
Environment
- DXP 7.4
Resolution
-
Approach 1:
- Please follow: How to Disable Groovy Scripts and the Scripting Console in Control Panel
- This will prevent non-admin users from running groovy scripts in custom places, as they do not have direct access to the Server Administration scripting console (anyway)
-
Approach 2:
- Go to Control Panel > Configuration > System Settings
-
In the Platform section, find "Module Container"
- Navigate to Global Menu > System Settings > Module Container > Component Blacklist tab
- Add
com.liferay.server.admin.web.internal.scripting.ServerScriptingto
Blacklist Component Names - Save
Additional Information
- Security Statement on CVE-2019-11444: Disputed Groovy Script console vulnerability
- How to Disable Groovy Scripts and the Scripting Console in Control Panel
- This will disable all actions about Server Administration because “com.liferay.server.admin.web.internal.portlet.action.EditServerMVCActionCommand” reference ServerScripting.
- Disabling Groovy scripting entirely by blacklisting
com.liferay.server.admin.web.internal.scripting.ServerScriptingnot only causes several console errors when attempting to run Groovy scripts (although it does prevent them from running) but it is also not effective, because a user that has permission to blacklist modules in this way can just remove the blacklisted module again and continue to run scripts. - As of 2023.Q4.0, blacklisting the aforementioned component components doesn't work either because the functionality was refactored to a Java util class
com.liferay.server.admin.web.internal.scripting.util.ServerScriptingUtil.
Conteúdo Excluesivo para Assinantes
Uma Subscrição do Liferay Enterprise fornece acesso a mais de 1.500 artigos que incluem práticas recomendadas, solução de problemas e outras soluções valiosas. Faça login para obter acesso completo.
Entrar