[ofbiz-framework] branch release18.12 updated: Fixed: Prevent FreeMarker Template Injection (SSTI)

Sat, 16 May 2020 11:57:24 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new d227417  Fixed: Prevent FreeMarker Template Injection (SSTI)
d227417 is described below

commit d2274170b418dc7dbb44f5096b2b22c81e3943f4
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat May 16 20:51:02 2020 +0200

    Fixed: Prevent FreeMarker Template Injection (SSTI)
    
    (OFBIZ-11709)
    
    Since Freemarker 2.3.17 a known solution to these issues is to register a
    TemplateClassResolver in Freemarker configuration in order to limit which
    TemplateModels can be instantiated in the templates. The predefined resolver
    SAFER_RESOLVER doesn't allow to instantiate the Execute class[4].
    
    So the solution is to add the line
        
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
    in FreeMarkerWorker.java
    
    Conflicts handled by hand
---
 .../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java     | 3 +++
 1 file changed, 3 insertions(+)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index 516a64f..fa368a1 100644
--- 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++ 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -35,6 +35,7 @@ import java.util.TimeZone;
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 
+import org.apache.ofbiz.base.component.ComponentConfig;
 import org.apache.ofbiz.base.location.FlexibleLocation;
 import org.apache.ofbiz.base.util.Debug;
 import org.apache.ofbiz.base.util.StringUtil;
@@ -49,6 +50,7 @@ import freemarker.cache.StringTemplateLoader;
 import freemarker.cache.TemplateLoader;
 import freemarker.cache.URLTemplateLoader;
 import freemarker.core.Environment;
+import freemarker.core.TemplateClassResolver;
 import freemarker.ext.beans.BeanModel;
 import freemarker.ext.beans.BeansWrapper;
 import freemarker.ext.beans.BeansWrapperBuilder;
@@ -115,6 +117,7 @@ public final class FreeMarkerWorker {
         } catch (TemplateException e) {
             Debug.logError("Unable to set date/time and number formats in 
FreeMarker: " + e, module);
         }
+        
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
         // Transforms properties file set up as key=transform name, 
property=transform class name
         ClassLoader loader = Thread.currentThread().getContextClassLoader();
         Enumeration<URL> resources;

Reply via email to