2017-01-13 1:17 GMT+01:00 Daniel Dekany <[email protected]>: > Friday, January 13, 2017, 12:08:12 AM, Christoph Rüger wrote: > > > +1 for everything. > > > > additional security topics: > > use TemplateClassResolver.ALLOWS_NOTHING_RESOLVER by default to > > avoid template injection attacks. > > At least in FM2 you pull in your TemplateDirectiveModel-s and > TemplateMethodModel-s into #import/#include-able FTL-s with `?new`. I > can imagine much better mechanisms for that use-case though... But for > now, the point is that we can't just default to > ALLOWS_NOTHING_RESOLVER without giving an alternative first. But, now > that you say, I will delete those legacy "utility" TemplateModel-s > which make `?new` rather dangerous. >
Yes, that's what I meant. e.g. "Execute <http://freemarker.org/docs/api/freemarker/template/utility/Execute.html>" where can run code on the server: <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id")} Source <http://blog.portswigger.net/2015/08/server-side-template-injection.html#FreeMarker> I have another thing regarding XXE-Attacks in FM-XML-processing (regarding DocumentBuilderFactory in freemarker.ext.dom.NodeModel) where a different default behavior would be good IMO. I can give more details in a separate email if you want. > > 2017-01-12 23:58 GMT+01:00 Daniel Dekany <[email protected]>: > > I have collected some further easy changes for FM3... Any comments? > > > > - Drop FTL classic compatible mode option (Roughly emulates FM1 > > behavior at null-s and at some type handling issues) > > > > - Drop FTL non-strict syntax option (FM1 syntax - that's where you > > could write <if x> instead of <#if x>). > > > > - Drop all the "public static void main(String[] args)" methods > (security concern) > > > > - Drop freemarker.log. That's a simple log adapter facility from the > > ancient times of Java, kind of like commons-logging or slf4j. I > > would instead introduce slf4j-api as a required dependency. > > > > - Drop legacy XML wrapper (freemarker.ext.xml, not to be confused with > > freemarker.ext.dom) > > > > - Drop ant task (freemarker.ext.ant) > > > > -- > > Thanks, > > Daniel Dekany > > > > > > > > > > -- > Thanks, > Daniel Dekany > > -- Christoph Rüger, Geschäftsführer Synesty <https://synesty.com/> - Automatisierung, Schnittstellen, Datenfeeds Tel.: +49 3641/559649 Xing: https://www.xing.com/profile/Christoph_Rueger2 LinkedIn: http://www.linkedin.com/pub/christoph-rueger/a/685/198 -- Synesty GmbH Moritz-von-Rohr-Str. 1a 07745 Jena Tel.: +49 3641 559649 Fax.: +49 3641 5596499 Internet: http://synesty.com Geschäftsführer: Christoph Rüger Unternehmenssitz: Jena Handelsregister B beim Amtsgericht: Jena Handelsregister-Nummer: HRB 508766 Ust-IdNr.: DE287564982
