OFBiz OFBiz - Commits

[ofbiz-framework] branch release18.12 updated: Fixed: Prevent FreeMarker Template Injection (SSTI)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release18.12 updated: Fixed: Prevent FreeMarker Template Injection (SSTI)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new d227417  Fixed: Prevent FreeMarker Template Injection (SSTI)
d227417 is described below

commit d2274170b418dc7dbb44f5096b2b22c81e3943f4
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat May 16 20:51:02 2020 +0200

    Fixed: Prevent FreeMarker Template Injection (SSTI)
   
    (OFBIZ-11709)
   
    Since Freemarker 2.3.17 a known solution to these issues is to register a
    TemplateClassResolver in Freemarker configuration in order to limit which
    TemplateModels can be instantiated in the templates. The predefined resolver
    SAFER_RESOLVER doesn't allow to instantiate the Execute class[4].
   
    So the solution is to add the line
        newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
    in FreeMarkerWorker.java
   
    Conflicts handled by hand
---
 .../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java     | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index 516a64f..fa368a1 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -35,6 +35,7 @@ import java.util.TimeZone;
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 
+import org.apache.ofbiz.base.component.ComponentConfig;
 import org.apache.ofbiz.base.location.FlexibleLocation;
 import org.apache.ofbiz.base.util.Debug;
 import org.apache.ofbiz.base.util.StringUtil;
@@ -49,6 +50,7 @@ import freemarker.cache.StringTemplateLoader;
 import freemarker.cache.TemplateLoader;
 import freemarker.cache.URLTemplateLoader;
 import freemarker.core.Environment;
+import freemarker.core.TemplateClassResolver;
 import freemarker.ext.beans.BeanModel;
 import freemarker.ext.beans.BeansWrapper;
 import freemarker.ext.beans.BeansWrapperBuilder;
@@ -115,6 +117,7 @@ public final class FreeMarkerWorker {
         } catch (TemplateException e) {
             Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, module);
         }
+        newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
         // Transforms properties file set up as key=transform name, property=transform class name
         ClassLoader loader = Thread.currentThread().getContextClassLoader();
         Enumeration<URL> resources;

Free forum by Nabble Edit this page