See below 2017-01-13 15:32 GMT+01:00 Daniel Dekany <ddek...@freemail.hu>:
> Friday, January 13, 2017, 1:07:36 PM, Christoph Rüger wrote: > > > 2017-01-13 1:17 GMT+01:00 Daniel Dekany <ddek...@freemail.hu>: > > > >> Friday, January 13, 2017, 12:08:12 AM, Christoph Rüger wrote: > >> > >> > +1 for everything. > >> > > >> > additional security topics: > >> > use TemplateClassResolver.ALLOWS_NOTHING_RESOLVER by default to > >> > avoid template injection attacks. > >> > >> At least in FM2 you pull in your TemplateDirectiveModel-s and > >> TemplateMethodModel-s into #import/#include-able FTL-s with `?new`. I > >> can imagine much better mechanisms for that use-case though... But for > >> now, the point is that we can't just default to > >> ALLOWS_NOTHING_RESOLVER without giving an alternative first. But, now > >> that you say, I will delete those legacy "utility" TemplateModel-s > >> which make `?new` rather dangerous. > >> > > > > Yes, that's what I meant. e.g. "Execute > > <http://freemarker.org/docs/api/freemarker/template/utility/Execute.html > >" > > where can run code on the server: > > > > <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id")} > > Yeah, that's my favorite... Obviously, the mind set back then was that > templates are just part of the source code like java files are. You > can do whatever you want in both. > > > Source > > <http://blog.portswigger.net/2015/08/server-side-template-in > jection.html#FreeMarker> > > > > I have another thing regarding XXE-Attacks in FM-XML-processing > > (regarding DocumentBuilderFactory > > in freemarker.ext.dom.NodeModel) where a different default behavior would > > be good IMO. > > I can give more details in a separate email if you want. > > Please do! That affects FM2 too. > The DocumentBuildFactory created in freemarker.ext.dom.NodeModel.getDocumentBuilderFactory() is currently setup to resolve external entities (which is default behavior). This opens the door for XXE attacks (External Entity Injection): see http://colesec.inventedtheinternet.com/attacking-xml-with-xml-external-entity-injection-xxe/ Lot's of web-apps have this problem e.g. also PHP where this is enabled by default too (not a php guy, but read about it). We basically chose to forbid ExternalEntities completely by extending NodeModel and so set some properties to the DocumentBuilderFactory as described here: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J > > >> > 2017-01-12 23:58 GMT+01:00 Daniel Dekany <ddek...@freemail.hu>: > >> > I have collected some further easy changes for FM3... Any comments? > >> > > >> > - Drop FTL classic compatible mode option (Roughly emulates FM1 > >> > behavior at null-s and at some type handling issues) > >> > > >> > - Drop FTL non-strict syntax option (FM1 syntax - that's where you > >> > could write <if x> instead of <#if x>). > >> > > >> > - Drop all the "public static void main(String[] args)" methods > >> (security concern) > >> > > >> > - Drop freemarker.log. That's a simple log adapter facility from the > >> > ancient times of Java, kind of like commons-logging or slf4j. I > >> > would instead introduce slf4j-api as a required dependency. > >> > > >> > - Drop legacy XML wrapper (freemarker.ext.xml, not to be confused with > >> > freemarker.ext.dom) > >> > > >> > - Drop ant task (freemarker.ext.ant) > >> > > >> > -- > >> > Thanks, > >> > Daniel Dekany > >> > > >> > > >> > > >> > > >> > >> -- > >> Thanks, > >> Daniel Dekany > >> > >> > > > > > > -- > > Christoph Rüger, Geschäftsführer > > Synesty <https://synesty.com/> - Automatisierung, Schnittstellen, > Datenfeeds > > Tel.: +49 3641/559649 > > > > Xing: https://www.xing.com/profile/Christoph_Rueger2 > > LinkedIn: http://www.linkedin.com/pub/christoph-rueger/a/685/198 > > > > -- > Thanks, > Daniel Dekany > > -- Christoph Rüger, Geschäftsführer Synesty <https://synesty.com/> - Automatisierung, Schnittstellen, Datenfeeds Tel.: +49 3641/559649 <+49%203641%20559649> Xing: https://www.xing.com/profile/Christoph_Rueger2 LinkedIn: http://www.linkedin.com/pub/christoph-rueger/a/685/198 -- Synesty GmbH Moritz-von-Rohr-Str. 1a 07745 Jena Tel.: +49 3641 559649 Fax.: +49 3641 5596499 Internet: http://synesty.com Geschäftsführer: Christoph Rüger Unternehmenssitz: Jena Handelsregister B beim Amtsgericht: Jena Handelsregister-Nummer: HRB 508766 Ust-IdNr.: DE287564982