[
https://issues.apache.org/jira/browse/FREEMARKER-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16466933#comment-16466933
]
Daniel Dekany commented on FREEMARKER-96:
-----------------------------------------
Even if we allow that, there's nothing outside the template root directory in a
{{StringTemplateLoader}}. Also, putting with key {{"../Template2"}} will not
work as intended, as {{../}} and such is resolved by FreeMarker before turning
to the {{TemplateLoader}}.
> StringTemplateLoader why check path security
> --------------------------------------------
>
> Key: FREEMARKER-96
> URL: https://issues.apache.org/jira/browse/FREEMARKER-96
> Project: Apache Freemarker
> Issue Type: Bug
> Affects Versions: 2.3.28
> Environment: Java 8
> Reporter: bato
> Priority: Major
>
> when i do this
> StringTemplateLoader stringLoader = new StringTemplateLoader();
> cfg.setTemplateLoader(stringLoader);
> //
> stringLoader.putTemplate("Template1", "Hello ${user} \n");
> stringLoader.putTemplate("../Template2", "Hello ${user1} ${user2}");
> //
> Template temp1 = cfg.getTemplate("Template1");
> Template temp2 = cfg.getTemplate("../Template2");
> will get this exception
> freemarker.template.TemplateNotFoundException: Template not found for name
> "../Template2".
> Reason given: Backing out from the root directory is not allowed.
> The name was interpreted by this TemplateLoader: StringTemplateLoader(Map \{
> "Template1"=..., "../Template2"=... }).
> .......
> check root path security is important I know, but it is StringTemplateLoader
> not file right ?
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
