[
https://issues.apache.org/jira/browse/OFBIZ-12192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17300305#comment-17300305 ]
Jacques Le Roux commented on OFBIZ-12192:
-----------------------------------------
BTW, after reading about FREEMARKER-124 at
https://freemarker.apache.org/docs/versions_2_3_30.htmlbq. Made the default filtering of class members more restrictive (when you are using BeansWrapper, or its subclasses like DefaultObjectWrapper). This is not strictly backward compatible, but unlikely to break any real-world applications; see src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules to see what was changed. This change was made for security reasons, but the default behavior will never be safe enough if untrusted users will edit templates; see in the FAQ. In the unlikely case this change breaks your application, then you can still use the old behavior by setting the memberAccessPolicy property of the object wrapper to LegacyDefaultMemberAccessPolicy.INSTANCE.
I send this to the dev ML:
https://markmail.org/message/r5yyhis5qwk53aknbq. After fixing this issue, I believe we should use Freemarker 2.3.31 in all supported branches because of possible (low but who knows...) security
issues fixed since 2.3.30. What do you think?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)