[
https://issues.apache.org/jira/browse/FREEMARKER-205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17508388#comment-17508388
]
Dániel Dékány commented on FREEMARKER-205:
------------------------------------------
Because more and more user has to be redirected to here, some more comments.
If this (that ProtectionDomain.getClassLoader is not blocked) is a +real+
security issue for you, then certainly you have much more security problems.
Please see this about allowing untrusted persons to edit templates:
https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
> Vulnerable to Arbitrary Code Execution
> --------------------------------------
>
> Key: FREEMARKER-205
> URL: https://issues.apache.org/jira/browse/FREEMARKER-205
> Project: Apache Freemarker
> Issue Type: Bug
> Components: engine
> Affects Versions: 2.3.31
> Reporter: Rupesh Pal
> Priority: Critical
>
> org.freemarker:freemarker is vulnerable to arbitrary code execution. Remote
> attackers are able to inject and execute malicious scripts on the host
> machine via crafted payloads to bypass security restrictions.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
