freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Taher Alkhateeb" <ta...@pythys.com.INVALID>
Subject Re: Use TemplateClassResolver.SAFER_RESOLVER by default
Date Sun, 17 May 2020 08:13:07 GMT

I think it will break almost everything because most of our FTL is executing code anyways.
You can try it yourself to see if it works.


On Sunday, May 17, 2020 09:41 +03, Jacques Le Roux <jacques.le.roux@les7arts.com> wrote:
 Hi,

After reading https://ackcent.com/blog/in-depth-freemarker-template-injection/ I wonder why
we have not TemplateClassResolver.SAFER_RESOLVER[1] used
by default, like there is:

    The api_builtin_enabled configuration setting must be set to true. Its default is false
(at least as of 2.3.22) for not lowering the security of
existing applications.[2]

Is there a reason?

Thanks

Jacques

[1] https://freemarker.apache.org/docs/api/freemarker/core/TemplateClassResolver.html#SAFER_RESOLVER
[2] https://freemarker.apache.org/docs/ref_builtins_expert.html#ref_buitin_api_and_has_api
 
 

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message