Hi folks, During my last presentation I was asked about how secure Apache Freemarker is in the context of user editing their templates - well, hard to say without knowing the application.
But I came across an interesting article (see https://ackcent.com/blog/in-depth-freemarker-template-injection/) where the authors successfully hacked a CMS based on Apache FreeMarker * As far as I know the UNRESTRICTED_RESOLVER is the default? Maybe ALLOWS_NOTHING_RESOLVER would be a better default? * Enabling "?api" needs to be enabled by developers which is fine * Update the "unsafeMethods.properties" according to the article? For the records "java.lang.Thread.suspend()" is duplicated anyway Thanks in advance, Siegfried Goeschl
