[
https://issues.apache.org/jira/browse/FREEMARKER-124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17008069#comment-17008069
]
Dániel Dékány commented on FREEMARKER-124:
------------------------------------------
Note that we have {{MemberAccessPolicy}} and {{WhitelistMemberAccessPolicy}} in
the repo now (will be released with 2.3.30), which is how use cases where this
matters should be handled. See
[https://freemarker.apache.org/builds/fm2/api/freemarker/ext/beans/MemberAccessPolicy.html]
until it's released.
But, I assume that many will not want to implement such a change in their
applications; putting together and maintaining a whitelist can be substantial
work. So there will be also some changes in the default behavior, so that at
least the examples in the referred blog entry won't work. But again, the
default behavior never never will be safe enough, if template editors aren't
trusted as much as the Java developers are.
> Security - templates can get classloader by using
> java.security.ProtectionDomain.getClassLoader
> -----------------------------------------------------------------------------------------------
>
> Key: FREEMARKER-124
> URL: https://issues.apache.org/jira/browse/FREEMARKER-124
> Project: Apache Freemarker
> Issue Type: Bug
> Reporter: Gal Ben Ami
> Priority: Critical
> Labels: security
>
> By using java.security.ProtectionDomain.getClassLoader templates will get
> access to the classloader and from there can get filesystem access and more.
>
> See:
> [https://github.com/apache/freemarker/pull/62]
>
> And
> [https://ackcent.com/blog/in-depth-freemarker-template-injection/]
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
