[jira] [Updated] (OFBIZ-12196) Update Freemaker to 2.3.31 in R17 and R18

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Updated] (OFBIZ-12196) Update Freemaker to 2.3.31 in R17 and R18

Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-12196?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-12196:
------------------------------------
    Description:
That's for (low) security reason. There are no bugs in R17 and R18 but after reading about FREEMARKER-124 at https://freemarker.apache.org/docs/versions_2_3_30.html I believe we should update update Freemaker to 2.3.31 in R17 and  R18

bq.   FREEMARKER-124 made the default filtering of class members more restrictive (when you are using BeansWrapper, or its subclasses like DefaultObjectWrapper). This is not strictly backward compatible, but unlikely to break any real-world applications; see src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules to see what was changed. This change was made for security reasons, but the default behavior will never be safe enough if untrusted users will edit templates; see in the FAQ. In the unlikely case this change breaks your application, then you can still use the old behavior by setting the memberAccessPolicy property of the object wrapper to LegacyDefaultMemberAccessPolicy.INSTANCE.

I send this to the dev ML: https://markmail.org/message/r5yyhis5qwk53akn

bq.   After fixing OFBIZ-12195, I believe we should use Freemarker 2.3.31 in all supported branches because of possible (low but who knows...) security issues fixed since 2.3.30.

Without answers in a week I'll do so...



  was:
That's for (low) security reason. There are no bugs in R17 and R18 but after reading about FREEMARKER-124 at https://freemarker.apache.org/docs/versions_2_3_30.html I believe we should update update Freemaker to 2.3.31 in R17 and  R18

bq.   FREEMARKER-124 made the default filtering of class members more restrictive (when you are using BeansWrapper, or its subclasses like DefaultObjectWrapper). This is not strictly backward compatible, but unlikely to break any real-world applications; see src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules to see what was changed. This change was made for security reasons, but the default behavior will never be safe enough if untrusted users will edit templates; see in the FAQ. In the unlikely case this change breaks your application, then you can still use the old behavior by setting the memberAccessPolicy property of the object wrapper to LegacyDefaultMemberAccessPolicy.INSTANCE.

I send this to the dev ML: https://markmail.org/message/r5yyhis5qwk53akn

bq.   After fixing OFBIZ-12195, I believe we should use Freemarker 2.3.31 in all supported branches because of possible (low but who knows...) security issues fixed since 2.3.30.

Withouth answers in a week I'll do so...




> Update Freemaker to 2.3.31 in R17 and  R18
> ------------------------------------------
>
>                 Key: OFBIZ-12196
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12196
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: framework/base
>    Affects Versions: Release Branch 18.12, Release Branch 17.12
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>
> That's for (low) security reason. There are no bugs in R17 and R18 but after reading about FREEMARKER-124 at https://freemarker.apache.org/docs/versions_2_3_30.html I believe we should update update Freemaker to 2.3.31 in R17 and  R18
> bq.   FREEMARKER-124 made the default filtering of class members more restrictive (when you are using BeansWrapper, or its subclasses like DefaultObjectWrapper). This is not strictly backward compatible, but unlikely to break any real-world applications; see src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules to see what was changed. This change was made for security reasons, but the default behavior will never be safe enough if untrusted users will edit templates; see in the FAQ. In the unlikely case this change breaks your application, then you can still use the old behavior by setting the memberAccessPolicy property of the object wrapper to LegacyDefaultMemberAccessPolicy.INSTANCE.
> I send this to the dev ML: https://markmail.org/message/r5yyhis5qwk53akn
> bq.   After fixing OFBIZ-12195, I believe we should use Freemarker 2.3.31 in all supported branches because of possible (low but who knows...) security issues fixed since 2.3.30.
> Without answers in a week I'll do so...



--
This message was sent by Atlassian Jira
(v8.3.4#803005)