[ https://issues.apache.org/jira/browse/FREEMARKER-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16466933#comment-16466933 ]
Daniel Dekany commented on FREEMARKER-96: ----------------------------------------- Even if we allow that, there's nothing outside the template root directory in a {{StringTemplateLoader}}. Also, putting with key {{"../Template2"}} will not work as intended, as {{../}} and such is resolved by FreeMarker before turning to the {{TemplateLoader}}. > StringTemplateLoader why check path security > -------------------------------------------- > > Key: FREEMARKER-96 > URL: https://issues.apache.org/jira/browse/FREEMARKER-96 > Project: Apache Freemarker > Issue Type: Bug > Affects Versions: 2.3.28 > Environment: Java 8 > Reporter: bato > Priority: Major > > when i do this > StringTemplateLoader stringLoader = new StringTemplateLoader(); > cfg.setTemplateLoader(stringLoader); > // > stringLoader.putTemplate("Template1", "Hello ${user} \n"); > stringLoader.putTemplate("../Template2", "Hello ${user1} ${user2}"); > // > Template temp1 = cfg.getTemplate("Template1"); > Template temp2 = cfg.getTemplate("../Template2"); > will get this exception > freemarker.template.TemplateNotFoundException: Template not found for name > "../Template2". > Reason given: Backing out from the root directory is not allowed. > The name was interpreted by this TemplateLoader: StringTemplateLoader(Map \{ > "Template1"=..., "../Template2"=... }). > ....... > check root path security is important I know, but it is StringTemplateLoader > not file right ? > -- This message was sent by Atlassian JIRA (v7.6.3#76005)