[freemarker-site] branch asf-site updated: Added more advices to FAQ about untrusted template authors.

Fri, 01 May 2020 07:28:24 -0700 

This is an automated email from the ASF dual-hosted git repository.

ddekany pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/freemarker-site.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 95e276b  Added more advices to FAQ about untrusted template authors.
95e276b is described below

commit 95e276ba7f78b61ac63c65cafa486ab1becfdd51
Author: ddekany <[email protected]>
AuthorDate: Fri May 1 16:27:42 2020 +0200

    Added more advices to FAQ about untrusted template authors.
---
 docs/app_faq.html | 34 +++++++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/docs/app_faq.html b/docs/app_faq.html
index 3606e37..f92a80c 100644
--- a/docs/app_faq.html
+++ b/docs/app_faq.html
@@ -1707,6 +1707,28 @@ TemplateModel x = env.getVariable(&quot;x&quot;);  // 
get variable x</pre></div>
                 well behaving <code class="inline-code">ObjectWrapper</code>, 
like
                 <code class="inline-code">DefaultObjectWrapper</code>.)</p>
 
+                <p>If you are using the default object wrapper class
+                (<code 
class="inline-code">freemarker.template.DefaultObjectWrapper</code>),
+                or a subclass of it, you should disable the XML (DOM) wrapping
+                feature of it, by overriding <code 
class="inline-code">wrapDomNode(Object
+                obj)</code> so that it does this: <code 
class="inline-code">return
+                getModelFactory(obj.getClass()).create(obj, this);</code>.
+                The problem with the XML wrapping feature, which wraps
+                <code class="inline-code">org.w3c.dom.Node</code> objects on 
special way to
+                make them easier to work with in templates, is that this
+                facility by design lets template authors evaluate arbitrary
+                XPath expressions, and XPath can do too much in certain
+                setups. If you really need the XML wrapping facility, review
+                carefully what XPath expressions are possible in your setup.
+                Also, be sure you don&#39;t use the long deprecated, and more
+                dangerous <code class="inline-code">freemarker.ext.xml</code> 
package, only
+                <code class="inline-code">freemarker.ext.dom</code>. Also, 
note that when
+                using the XML wrapping feature, not allowing
+                <code class="inline-code">org.w3c.dom.Node</code> methods in 
the
+                <code class="inline-code">MemberAccessPolicy</code> has no 
effect, since it
+                doesn&#39;t expose Java <code class="inline-code">Node</code> 
members to
+                templates directly.</p>
+
                 <p>Last not least, some maybe aware of the historical
                 legacy that standard object wrappers filter out some well
                 known "unsafe" methods, like
@@ -1755,11 +1777,13 @@ TemplateModel x = env.getVariable(&quot;x&quot;);  // 
get variable x</pre></div>
                 <code class="inline-code">TemplateModel</code>, its static 
initialization
                 will be run. To avoid these, you should use a
                 <code class="inline-code">TemplateClassResolver</code> that 
restricts the
-                accessible classes (possibly based on which template asks for
-                them), such as
+                accessible classes to the absolute minimum (possibly based on
+                which template asks for them), such as
                 <code 
class="inline-code">TemplateClassResolver.ALLOWS_NOTHING_RESOLVER</code>.
-                Note that if, and only if your
-                <code class="inline-code">ObjectWrapper</code> is a
+                Do <em>not</em> use
+                <code 
class="inline-code">TemplateClassResolver.SAFER_RESOLVER</code>, it&#39;s
+                not restrictive enough for this purpose! Note that if, and
+                only if your <code class="inline-code">ObjectWrapper</code> is 
a
                 <code class="inline-code">BeansWrapper</code> or a subclass of 
it (typically
                 <code class="inline-code">DefaultObjectWrapper</code>), 
constructors not
                 allowed by the <code 
class="inline-code">MemberAccessPolicy</code> also
@@ -1920,7 +1944,7 @@ TemplateModel x = env.getVariable(&quot;x&quot;);  // get 
variable x</pre></div>
     </div>
 <div class="site-footer"><div class="site-width"><div class="footer-top"><div 
class="col-left sitemap"><div class="column"><h3 
class="column-header">Overview</h3><ul><li><a 
href="https://freemarker.apache.org/";>What is FreeMarker?</a></li><li><a 
href="https://freemarker.apache.org/freemarkerdownload.html";>Download</a></li><li><a
 href="app_versions.html">Version history</a></li><li><a 
href="https://freemarker.apache.org/history.html";>About us</a></li><li><a 
itemprop="license" href="app_li [...]
 Last generated:
-<time itemprop="dateModified" datetime="2020-03-28T10:05:16Z" title="Saturday, 
March 28, 2020 10:05:16 AM GMT">2020-03-28 10:05:16 GMT</time>, for Freemarker 
2.3.30 </p>
+<time itemprop="dateModified" datetime="2020-05-01T14:24:19Z" title="Friday, 
May 1, 2020 2:24:19 PM GMT">2020-05-01 14:24:19 GMT</time>, for Freemarker 
2.3.30 </p>
 <p class="copyright">
 © <span itemprop="copyrightYear">1999</span>–2020
 <a itemtype="http://schema.org/Organization"; itemprop="copyrightHolder" 
href="https://apache.org/";>The Apache Software Foundation</a>. Apache 
FreeMarker, FreeMarker, Apache Incubator, Apache, the Apache FreeMarker logo 
are trademarks of The Apache Software Foundation. All other marks mentioned may 
be trademarks or registered trademarks of their respective owners. </p>

Reply via email to