This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 07f48a3  Improved: Prevent FreeMarker Template Injection (SSTI)
07f48a3 is described below

commit 07f48a3334fcd11a1d6c8e3236887dd3b535863c
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon May 18 14:03:33 2020 +0200

    Improved: Prevent FreeMarker Template Injection (SSTI)
    
    (OFBIZ-11709)
    
    Previous code compiled but the class was not found, better KISS
---
 .../ofbiz/base/util/template/FreeMarkerWorker.java | 23 +++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index 539d423..20765fc 100644
--- 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++ 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -64,7 +64,6 @@ import freemarker.template.TemplateHashModel;
 import freemarker.template.TemplateModel;
 import freemarker.template.TemplateModelException;
 import freemarker.template.Version;
-import freemarker.template.utility.ClassUtil;
 
 /**
  * FreeMarkerWorker - Freemarker Template Engine Utilities.
@@ -118,14 +117,20 @@ public final class FreeMarkerWorker {
         } catch (TemplateException e) {
             Debug.logError("Unable to set date/time and number formats in 
FreeMarker: " + e, module);
         }
-        String templateClassResolver = 
UtilProperties.getPropertyValue("security", "templateClassResolver", 
-                "SAFER_RESOLVER");
-        try {
-            newConfig.setNewBuiltinClassResolver((TemplateClassResolver) 
-                    ClassUtil.forName("freemarker.core.TemplateClassResolver" 
+ templateClassResolver)
-                    .cast(templateClassResolver));
-        } catch (ClassNotFoundException e) {
-            Debug.logError("No TemplateClassResolver." + 
templateClassResolver, MODULE);
+        String templateClassResolver = 
UtilProperties.getPropertyValue("security", "templateClassResolver", 
"SAFER_RESOLVER");
+        switch (templateClassResolver) {
+            case "UNRESTRICTED_RESOLVER":
+                
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER);
+                break;
+            case "SAFER_RESOLVER":
+                
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
+                break;
+            case "ALLOWS_NOTHING_RESOLVER":
+                
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.ALLOWS_NOTHING_RESOLVER);
+                break;
+            default:
+                Debug.logError("Not a TemplateClassResolver.", MODULE);
+                break;
         }
         // Transforms properties file set up as key=transform name, 
property=transform class name
         ClassLoader loader = Thread.currentThread().getContextClassLoader();

Reply via email to