This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/release18.12 by this push:
new b97d6bf Improved: Prevent FreeMarker Template Injection (SSTI)
b97d6bf is described below
commit b97d6bf1e28c1ffc062af08fc7da2769fc3672d5
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Mon May 18 12:06:28 2020 +0200
Improved: Prevent FreeMarker Template Injection (SSTI)
(OFBIZ-11709)
Some people may want to use another TemplateClassResolver than SAFER_RESOLVER
This creates a new templateClassResolver security property and uses it in
FreeMarkerWorker::makeConfiguration by default
Conflicts handled by hand
framework/security/config/security.properties
---
.../org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 11 ++++++++++-
framework/security/config/security.properties | 7 +++++++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index fa368a1..539d423 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -64,6 +64,7 @@ import freemarker.template.TemplateHashModel;
import freemarker.template.TemplateModel;
import freemarker.template.TemplateModelException;
import freemarker.template.Version;
+import freemarker.template.utility.ClassUtil;
/**
* FreeMarkerWorker - Freemarker Template Engine Utilities.
@@ -117,7 +118,15 @@ public final class FreeMarkerWorker {
} catch (TemplateException e) {
Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, module);
}
- newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
+ String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver",
+ "SAFER_RESOLVER");
+ try {
+ newConfig.setNewBuiltinClassResolver((TemplateClassResolver)
+ ClassUtil.forName("freemarker.core.TemplateClassResolver" + templateClassResolver)
+ .cast(templateClassResolver));
+ } catch (ClassNotFoundException e) {
+ Debug.logError("No TemplateClassResolver." + templateClassResolver, MODULE);
+ }
// Transforms properties file set up as key=transform name, property=transform class name
ClassLoader loader = Thread.currentThread().getContextClassLoader();
Enumeration<URL> resources;
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index f5d3120..fa64fa5 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -159,3 +159,10 @@ host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable
# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed
SameSiteCookieAttribute=
+# -- Freemarker TemplateClassResolver option, see OFBIZ-11709.
+# -- By default OFBiz uses the SAFER_RESOLVER because OOTB it does not use any of the Freemarker classes
+# -- that SAFER_RESOLVER prevents: ObjectConstructor, Execute and JythonRuntime.
+# -- If you need to use one to these classes you need to change the TemplateClassResolver
+# -- to UNRESTRICTED_RESOLVER and look at MemberAccessPolicy. In any cases better read
+# --
https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security+templateClassResolver=
Locked
