galusben edited a comment on issue #62: add unsafe method java.security.ProtectionDomain.getClassLoader URL: https://github.com/apache/freemarker/pull/62#issuecomment-572925085 I know it is not simple to address, but it adds a quick fix to something many are exposed to. I agree that the trust level of template authors shall be as the level of source code writers, but from the file src/main/resources/freemarker/ext/beans/unsafeMethods.properties it seems that there are some blacklisted methods. I understand that this list is not serious protection, but it will help some people that have made the mistake of trusting someone they shouldn't with a template. Since this blog is out there, I would strongly recommend to add this method to the blacklist. There is zero cost in doing that, and the benefit can be saving someone's ass (even tough this someone did not know what they were doing). @ddekany
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
