bato created FREEMARKER-96: ------------------------------ Summary: StringTemplateLoader why check path security Key: FREEMARKER-96 URL: https://issues.apache.org/jira/browse/FREEMARKER-96 Project: Apache Freemarker Issue Type: Bug Affects Versions: 2.3.28 Environment: Java 8 Reporter: bato
when i do this StringTemplateLoader stringLoader = new StringTemplateLoader(); cfg.setTemplateLoader(stringLoader); // stringLoader.putTemplate("Template1", "Hello ${user} \n"); stringLoader.putTemplate("../Template2", "Hello ${user1} ${user2}"); // Template temp1 = cfg.getTemplate("Template1"); Template temp2 = cfg.getTemplate("../Template2"); will get this exception freemarker.template.TemplateNotFoundException: Template not found for name "../Template2". Reason given: Backing out from the root directory is not allowed. The name was interpreted by this TemplateLoader: StringTemplateLoader(Map \{ "Template1"=..., "../Template2"=... }). ....... check root path why security is important I know, but it is StringTemplateLoader not file right ? -- This message was sent by Atlassian JIRA (v7.6.3#76005)