freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Siegfried Goeschl <siegfried.goes...@gmail.com>
Subject Re: FreeMarker generator security related configuration defaults
Date Mon, 19 Oct 2020 17:31:31 GMT
Hi Daniel,

yes, I disabled them since I assume that they will be the default settings

Thanks in advance

Siegfried Goeschl

> On 11.10.2020, at 20:42, Daniel Dekany <daniel.dekany@gmail.com> wrote:
> 
> I noticed that ?api and ?new are by default disabled in
> freemarker-generator. However, freemarker-generator is inherently unsafe,
> as it has tools.freemarker.objectConstructor, and tools.freemarker.statics.
> For a command-line tool that's probably fine, but then above two
> configuration settings should be left on their convenient defaults as well.
> 
> In general, allowing someone to specify arbitrary command line arguments
> to freemarker-generator CLI means that they can do pretty much anything (as
> they can provide an arbitrary template with the -i option, then access the
> tools). Again, I think such risk is expected from a command line tool, but
> it's better if we are conscious about this.
> 
> -- 
> Best regards,
> Daniel Dekany


Mime
View raw message