[ https://issues.apache.org/jira/browse/OFBIZ-12192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17300305#comment-17300305 ] Jacques Le Roux edited comment on OFBIZ-12192 at 3/12/21, 1:42 PM: ------------------------------------------------------------------- BTW, after reading about FREEMARKER-124 at https://freemarker.apache.org/docs/versions_2_3_30.html bq. Made the default filtering of class members more restrictive (when you are using BeansWrapper, or its subclasses like DefaultObjectWrapper). This is not strictly backward compatible, but unlikely to break any real-world applications; see src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules to see what was changed. This change was made for security reasons, but the default behavior will never be safe enough if untrusted users will edit templates; see in the FAQ. In the unlikely case this change breaks your application, then you can still use the old behavior by setting the memberAccessPolicy property of the object wrapper to LegacyDefaultMemberAccessPolicy.INSTANCE. I send this to the dev ML: https://markmail.org/message/r5yyhis5qwk53akn bq. After fixing this issue, I believe we should use Freemarker 2.3.31 in all supported branches because of possible (low but who knows...) security issues fixed since 2.3.30. What do you think? was (Author: jacques.le.roux): BTW, after reading about FREEMARKER-124 at https://freemarker.apache.org/docs/versions_2_3_30.html bq. Made the default filtering of class members more restrictive (when you are using BeansWrapper, or its subclasses like DefaultObjectWrapper). This is not strictly backward compatible, but unlikely to break any real-world applications; see src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules to see what was changed. This change was made for security reasons, but the default behavior will never be safe enough if untrusted users will edit templates; see in the FAQ. In the unlikely case this change breaks your application, then you can still use the old behavior by setting the memberAccessPolicy property of the object wrapper to LegacyDefaultMemberAccessPolicy.INSTANCE. I send this to the dev ML: https://markmail.org/message/r5yyhis5qwk53akn bq. After fixing this issue, I believe we should use Freemarker 2.3.31 in all supported branches because of possible (low but who knows...) security issues fixed since 2.3.30. What do you think? > Replace Bintray by a new place to upload the Gradle Wrapper > ----------------------------------------------------------- > > Key: OFBIZ-12192 > URL: https://issues.apache.org/jira/browse/OFBIZ-12192 > Project: OFBiz > Issue Type: Task > Components: Gradle > Affects Versions: 18.12.01, Trunk, 17.12.06 > Reporter: Jacques Le Roux > Priority: Blocker > > We got an issue with Bintray and jcenter : [https://markmail.org/message/hal4od7xeoig6xfw] > The jcenter aspect is now fixed with OFBIZ-12171 (actually jcenter will allow download until February 1st 2022) > With our need to upload the Gradle Wrapper we have though still an issue with Bintray: [https://markmail.org/message/74u6wsldx3ykzqiv] > The problem is once we release a package the scripts at [https://github.com/apache/ofbiz-framework/tree/trunk/gradle] are freezed. So people using these scripts will not be able to download the related Gradle Wrapper versions. > So we need to replace Bintray by another place to upload the different versions of the Gradle Wrapper. All supported OFBiz versions are concerned. > Note: I have already putĀ [https://cwiki.apache.org/confluence/display/OFBIZ/Load+new+gradle+wrapper+version+on+bintray] in Wiki AtticĀ -- This message was sent by Atlassian Jira (v8.3.4#803005) |
Free forum by Nabble | Edit this page |