This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/trunk by this push:
new d640a71 Improved: Prevent FreeMarker Template Injection (SSTI)
d640a71 is described below
commit d640a711d14e3a2a94c8a73635dd4e63a9eb4bc1
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Mon May 18 22:52:30 2020 +0200
Improved: Prevent FreeMarker Template Injection (SSTI)
(OFBIZ-11709)
Better style with line not too long
---
.../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index c7bf317..1e95731 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -126,7 +126,8 @@ public final class FreeMarkerWorker {
} catch (TemplateException e) {
Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, MODULE);
}
- String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", "SAFER_RESOLVER");
+ String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver",
+ "SAFER_RESOLVER");
switch (templateClassResolver) {
case "UNRESTRICTED_RESOLVER":
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER);
Locked
