freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacques Le Roux <jacques.le.r...@les7arts.com>
Subject Use TemplateClassResolver.SAFER_RESOLVER by default
Date Sun, 17 May 2020 06:41:31 GMT
Hi,

After reading https://ackcent.com/blog/in-depth-freemarker-template-injection/ I wonder why
we have not TemplateClassResolver.SAFER_RESOLVER[1] used 
by default, like there is:

     The api_builtin_enabled configuration setting must be set to true. Its default is
false (at least as of 2.3.22) for not lowering the security of 
existing applications.[2]

Is there a reason?

Thanks

Jacques

[1] https://freemarker.apache.org/docs/api/freemarker/core/TemplateClassResolver.html#SAFER_RESOLVER
[2] https://freemarker.apache.org/docs/ref_builtins_expert.html#ref_buitin_api_and_has_api


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message