Friday, January 13, 2017, 1:07:36 PM, Christoph Rüger wrote: > 2017-01-13 1:17 GMT+01:00 Daniel Dekany <ddek...@freemail.hu>: > >> Friday, January 13, 2017, 12:08:12 AM, Christoph Rüger wrote: >> >> > +1 for everything. >> > >> > additional security topics: >> > use TemplateClassResolver.ALLOWS_NOTHING_RESOLVER by default to >> > avoid template injection attacks. >> >> At least in FM2 you pull in your TemplateDirectiveModel-s and >> TemplateMethodModel-s into #import/#include-able FTL-s with `?new`. I >> can imagine much better mechanisms for that use-case though... But for >> now, the point is that we can't just default to >> ALLOWS_NOTHING_RESOLVER without giving an alternative first. But, now >> that you say, I will delete those legacy "utility" TemplateModel-s >> which make `?new` rather dangerous. >> > > Yes, that's what I meant. e.g. "Execute > <http://freemarker.org/docs/api/freemarker/template/utility/Execute.html>" > where can run code on the server: > > <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id")}
Yeah, that's my favorite... Obviously, the mind set back then was that templates are just part of the source code like java files are. You can do whatever you want in both. > Source > <http://blog.portswigger.net/2015/08/server-side-template-injection.html#FreeMarker> > > I have another thing regarding XXE-Attacks in FM-XML-processing > (regarding DocumentBuilderFactory > in freemarker.ext.dom.NodeModel) where a different default behavior would > be good IMO. > I can give more details in a separate email if you want. Please do! That affects FM2 too. >> > 2017-01-12 23:58 GMT+01:00 Daniel Dekany <ddek...@freemail.hu>: >> > I have collected some further easy changes for FM3... Any comments? >> > >> > - Drop FTL classic compatible mode option (Roughly emulates FM1 >> > behavior at null-s and at some type handling issues) >> > >> > - Drop FTL non-strict syntax option (FM1 syntax - that's where you >> > could write <if x> instead of <#if x>). >> > >> > - Drop all the "public static void main(String[] args)" methods >> (security concern) >> > >> > - Drop freemarker.log. That's a simple log adapter facility from the >> > ancient times of Java, kind of like commons-logging or slf4j. I >> > would instead introduce slf4j-api as a required dependency. >> > >> > - Drop legacy XML wrapper (freemarker.ext.xml, not to be confused with >> > freemarker.ext.dom) >> > >> > - Drop ant task (freemarker.ext.ant) >> > >> > -- >> > Thanks, >> > Daniel Dekany >> > >> > >> > >> > >> >> -- >> Thanks, >> Daniel Dekany >> >> > > > -- > Christoph Rüger, Geschäftsführer > Synesty <https://synesty.com/> - Automatisierung, Schnittstellen, Datenfeeds > Tel.: +49 3641/559649 > > Xing: https://www.xing.com/profile/Christoph_Rueger2 > LinkedIn: http://www.linkedin.com/pub/christoph-rueger/a/685/198 > -- Thanks, Daniel Dekany
