freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Dekany <daniel.dek...@gmail.com>
Subject Re: FreeMarker generator security related configuration defaults
Date Wed, 21 Oct 2020 06:01:49 GMT
Does that mean that you agree that we should leave them on the actual
FreeMarker 2.3.x defaults (?api enabled, ?new set to "safer")?

On Mon, Oct 19, 2020 at 7:31 PM Siegfried Goeschl <
siegfried.goeschl@gmail.com> wrote:

> Hi Daniel,
>
> yes, I disabled them since I assume that they will be the default settings
>
> Thanks in advance
>
> Siegfried Goeschl
>
> > On 11.10.2020, at 20:42, Daniel Dekany <daniel.dekany@gmail.com> wrote:
> >
> > I noticed that ?api and ?new are by default disabled in
> > freemarker-generator. However, freemarker-generator is inherently unsafe,
> > as it has tools.freemarker.objectConstructor, and
> tools.freemarker.statics.
> > For a command-line tool that's probably fine, but then above two
> > configuration settings should be left on their convenient defaults as
> well.
> >
> > In general, allowing someone to specify arbitrary command line arguments
> > to freemarker-generator CLI means that they can do pretty much anything
> (as
> > they can provide an arbitrary template with the -i option, then access
> the
> > tools). Again, I think such risk is expected from a command line tool,
> but
> > it's better if we are conscious about this.
> >
> > --
> > Best regards,
> > Daniel Dekany
>
>

-- 
Best regards,
Daniel Dekany

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message