Claude, Thanks for the updates, btw the depreciated TexenTask also uses the ExtendedProperties, I tried to use the o.a.v.util.ExtProperties suggested here, but it does not work for some reason, I switched to org.apache.commons.configuration2.PropertiesConfiguration which does work.
its basically just a swap with method .load changed to .read File fullPath = getProject().resolveFile(sources[i]); // ExtendedProperties source = new ExtendedProperties(); PropertiesConfiguration source = new PropertiesConfiguration(); // source.load(new FileInputStream(fullPath)); source.read(new FileReader((fullPath))); <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-configuration2</artifactId> <version>2.2</version> </dependency> Cheers Greg On 24 June 2018 at 02:36, Claude Brisson (JIRA) <dev@velocity.apache.org> wrote: > > [ https://issues.apache.org/jira/browse/VELTOOLS-169?page= > com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] > > Claude Brisson resolved VELTOOLS-169. > ------------------------------------- > Resolution: Fixed > Assignee: Claude Brisson > Fix Version/s: 3.0 > > trunk got rid of commons-collections by replacing ExtendedProperties by > o.a.v.util.ExtProperties > > > Upgrade commons-collections compile dependency to v3.2.2 or v4.1 > > ---------------------------------------------------------------- > > > > Key: VELTOOLS-169 > > URL: https://issues.apache.org/jira/browse/VELTOOLS-169 > > Project: Velocity Tools > > Issue Type: Bug > > Components: Build > > Affects Versions: 2.0 > > Reporter: Mark Symons > > Assignee: Claude Brisson > > Priority: Critical > > Fix For: 3.0 > > > > > > Upgrade commons-collections to v3.2.2 or v4.1 or later to mitigate level > 9 threat. > > Old name: commons-collections:commons-collections > > Current name: org.apache.commons:commons-collections4 > > Velocity Tools v2.0 uses commons-collections:commons-collections v3.2 > > commons-collections4 v4.1 includes the critical security fix > COLLECTIONS-580. Quoting from v4.1 release notes: > > {quote} > > Serialization support for unsafe classes in the functor package has been > removed completely as this can be exploited for remote code execution > attacks. Classes considered to be unsafe are: > > CloneTransformer > > ForClosure > > InstantiateFactory > > InstantiateTransformer > > InvokerTransformer > > PrototypeCloneFactory > > PrototypeSerializationFactory > > WhileClosure. > > {quote} > > > > -- > This message was sent by Atlassian JIRA > (v7.6.3#76005) > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org > For additional commands, e-mail: dev-h...@velocity.apache.org > >