ddekany edited a comment on pull request #68: URL: https://github.com/apache/freemarker/pull/68#issuecomment-647102391
To be safe by default in use cases where template authors aren't trusted, the default object wrapper had to be extremely restrictive. You wouldn't be able to access anything but basic functionality of Map-s, Collection-s, arrays, strings, numbers, booleans and dates. We couldn't expose anything about POJO-s (unless method where explicitly whitelisted, or annotated as template accessible). I'm not sure if that would make sense as a default, as it's unusable in the usage pattern that FreeMarker was originally made for. (Also as a default it would be highly backward incompatible, but that's a different topic. But it can't be on out of the box in 2.x.x for sure.) The attacks described in said blog post doesn't work out-of-the-box on FreeMarker 2.3.30, as some key methods used there were blacklisted, as they are very unlikely to be used (and then still can be turned back on). Also, AFAIR, the whole attack there starts with a privilege escalation attack (not related to FreeMarker), so users who are not supposed to can edit templates. Anyway, I asked them to link to the relevant FAQ entry at least, to no avail. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
