The security concern probably does not apply to OFBiz, because in most
cases users are not entering template paths, and template paths are not
used in URLs. There might be places where a user is asked for a template
location (example: setting up a response email) - so those places should
be guarded with template path checks.
-Adrian
On 4/3/2012 11:29 AM, Jacopo Cappellato wrote:
A short update on this issue:
the problem is happening with freemarker-.2.3.19 while earlier versions are not
affected (e.g. freemarker-2.3.18).
In earlier versions the following include directive:
<#include "../../../runtime/svninfo.ftl" />
in a file in themes/tomahawk/includes/
was converted in location like:
component://tomahawk/includes/../../../runtime/svninfo.ftl
With freemarker-.2.3.19 the location is converted to:
component:/runtime/svninfo.ftl
Please notice the single "/" after the ":".
The reason for this is explained here
http://freemarker.sourceforge.net/docs/pgui_config_templateloading.html#autoid_43
Quote:
"Note that FreeMarker always normalizes the paths before passing them to the
template loader, so the paths do not contain /../ and such, and are relative to the
imaginary template root directory."
There were also security reasons for the change as explained here:
https://sourceforge.net/projects/freemarker/files/freemarker/2.3.19/
Jacopo
On Apr 3, 2012, at 9:49 AM, Jacopo Cappellato wrote:
I have committed a workaround for the issue in rev. 1308734
I am still investigating the root cause. Please let me know if you see other
wrong things: this is a rather big jump from Freemarker 2.3.10 to 2.3.19!
Thanks,
Jacopo
On Apr 2, 2012, at 8:22 PM, Erwan de FERRIERES wrote:
Le 02/04/2012 19:53, Jacopo Cappellato a écrit :
I see it now, it doesn't like the following directive:
<#include "../../../runtime/svninfo.ftl" />
I will dig into it more.
Thanks !
--
Erwan de FERRIERES
www.nereide.biz
