[ https://issues.apache.org/jira/browse/FREEMARKER-96?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
bato updated FREEMARKER-96: --------------------------- Description: when i do this StringTemplateLoader stringLoader = new StringTemplateLoader(); cfg.setTemplateLoader(stringLoader); // stringLoader.putTemplate("Template1", "Hello ${user} \n"); stringLoader.putTemplate("../Template2", "Hello ${user1} ${user2}"); // Template temp1 = cfg.getTemplate("Template1"); Template temp2 = cfg.getTemplate("../Template2"); will get this exception freemarker.template.TemplateNotFoundException: Template not found for name "../Template2". Reason given: Backing out from the root directory is not allowed. The name was interpreted by this TemplateLoader: StringTemplateLoader(Map \{ "Template1"=..., "../Template2"=... }). ....... check root path security is important I know, but it is StringTemplateLoader not file right ? was: when i do this StringTemplateLoader stringLoader = new StringTemplateLoader(); cfg.setTemplateLoader(stringLoader); // stringLoader.putTemplate("Template1", "Hello ${user} \n"); stringLoader.putTemplate("../Template2", "Hello ${user1} ${user2}"); // Template temp1 = cfg.getTemplate("Template1"); Template temp2 = cfg.getTemplate("../Template2"); will get this exception freemarker.template.TemplateNotFoundException: Template not found for name "../Template2". Reason given: Backing out from the root directory is not allowed. The name was interpreted by this TemplateLoader: StringTemplateLoader(Map \{ "Template1"=..., "../Template2"=... }). ....... check root path why security is important I know, but it is StringTemplateLoader not file right ? > StringTemplateLoader why check path security > -------------------------------------------- > > Key: FREEMARKER-96 > URL: https://issues.apache.org/jira/browse/FREEMARKER-96 > Project: Apache Freemarker > Issue Type: Bug > Affects Versions: 2.3.28 > Environment: Java 8 > Reporter: bato > Priority: Major > > when i do this > StringTemplateLoader stringLoader = new StringTemplateLoader(); > cfg.setTemplateLoader(stringLoader); > // > stringLoader.putTemplate("Template1", "Hello ${user} \n"); > stringLoader.putTemplate("../Template2", "Hello ${user1} ${user2}"); > // > Template temp1 = cfg.getTemplate("Template1"); > Template temp2 = cfg.getTemplate("../Template2"); > will get this exception > freemarker.template.TemplateNotFoundException: Template not found for name > "../Template2". > Reason given: Backing out from the root directory is not allowed. > The name was interpreted by this TemplateLoader: StringTemplateLoader(Map \{ > "Template1"=..., "../Template2"=... }). > ....... > check root path security is important I know, but it is StringTemplateLoader > not file right ? > -- This message was sent by Atlassian JIRA (v7.6.3#76005)