This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release17.12 by this push:
new c7a5b22 Improved: Prevent FreeMarker Template Injection (SSTI)
c7a5b22 is described below
commit c7a5b22e0ed287cfa4073da8b0037da7567ffea6
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon May 18 22:50:28 2020 +0200
Improved: Prevent FreeMarker Template Injection (SSTI)
(OFBIZ-11709)
This commit does 2 things:
Send a correct commit comment (kind of amendment, w/o push force)
Previous code compiled but SAFER_RESOLVER is not a class but a field,
better KISS
Real change:
Better style with line not too long:
---
.../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index f6b7222..ffd16b8 100644
---
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -116,7 +116,8 @@ public final class FreeMarkerWorker {
} catch (TemplateException e) {
Debug.logError("Unable to set date/time and number formats in
FreeMarker: " + e, module);
}
- String templateClassResolver =
UtilProperties.getPropertyValue("security", "templateClassResolver",
"SAFER_RESOLVER");
+ String templateClassResolver =
UtilProperties.getPropertyValue("security", "templateClassResolver",
+ "SAFER_RESOLVER");
switch (templateClassResolver) {
case "UNRESTRICTED_RESOLVER":
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER);
