This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new a67508c Improved: Prevent FreeMarker Template Injection (SSTI)
a67508c is described below
commit a67508c29c1454a07448219cfa700f71132fb248
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon May 18 22:51:24 2020 +0200
Improved: Prevent FreeMarker Template Injection (SSTI)
(OFBIZ-11709)
Better style with line not too long
---
.../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index f377e05..d8ff395 100644
---
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -116,7 +116,8 @@ public final class FreeMarkerWorker {
} catch (TemplateException e) {
Debug.logError("Unable to set date/time and number formats in
FreeMarker: " + e, module);
}
- String templateClassResolver =
UtilProperties.getPropertyValue("security", "templateClassResolver",
"SAFER_RESOLVER");
+ String templateClassResolver =
UtilProperties.getPropertyValue("security", "templateClassResolver",
+ "SAFER_RESOLVER");
switch (templateClassResolver) {
case "UNRESTRICTED_RESOLVER":
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER);
