freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Dekany <>
Subject FreeMarker generator security related configuration defaults
Date Sun, 11 Oct 2020 18:42:34 GMT
I noticed that ?api and ?new are by default disabled in
freemarker-generator. However, freemarker-generator is inherently unsafe,
as it has tools.freemarker.objectConstructor, and tools.freemarker.statics.
For a command-line tool that's probably fine, but then above two
configuration settings should be left on their convenient defaults as well.

In general, allowing someone to specify arbitrary command line arguments
to freemarker-generator CLI means that they can do pretty much anything (as
they can provide an arbitrary template with the -i option, then access the
tools). Again, I think such risk is expected from a command line tool, but
it's better if we are conscious about this.

Best regards,
Daniel Dekany

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message