This is an automated email from the ASF dual-hosted git repository.
ddekany pushed a commit to branch 2.3-gae
in repository https://gitbox.apache.org/repos/asf/freemarker.git
The following commit(s) were added to refs/heads/2.3-gae by this push:
new 3018a7bd Slightly improved DefaultMemberAccessPolicy-rules (used by
default), and unsafeMethods.properties (long deprecated, not used by default).
3018a7bd is described below
commit 3018a7bd97aab21cf108184bda62bced3077727c
Author: ddekany <[email protected]>
AuthorDate: Thu Jan 5 12:00:54 2023 +0100
Slightly improved DefaultMemberAccessPolicy-rules (used by default), and
unsafeMethods.properties (long deprecated, not used by default).
---
.../freemarker/ext/beans/DefaultMemberAccessPolicy-rules | 2 +-
.../resources/freemarker/ext/beans/unsafeMethods.properties | 5 +++--
src/manual/en_US/book.xml | 11 +++++++++++
3 files changed, 15 insertions(+), 3 deletions(-)
diff --git
a/src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules
b/src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules
index 48001c2a..88b3c482 100644
--- a/src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules
+++ b/src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules
@@ -276,7 +276,7 @@ java.lang.Package.getAnnotations()
java.lang.Package.getDeclaredAnnotation(java.lang.Class)
java.lang.Package.getDeclaredAnnotationsByType(java.lang.Class)
java.lang.Package.getDeclaredAnnotations()
-java.lang.Package.getPackages()
+# Disallowed since 2.3.32: java.lang.Package.getPackages()
java.lang.Package.isSealed()
java.lang.Package.isSealed(java.net.URL)
java.lang.Package.getSpecificationTitle()
diff --git a/src/main/resources/freemarker/ext/beans/unsafeMethods.properties
b/src/main/resources/freemarker/ext/beans/unsafeMethods.properties
index a8025aff..15fbd957 100644
--- a/src/main/resources/freemarker/ext/beans/unsafeMethods.properties
+++ b/src/main/resources/freemarker/ext/beans/unsafeMethods.properties
@@ -19,7 +19,7 @@
# It does NOT provide enough safety if template authors aren't as trusted as
the developers; you need to use a custom
# whitelist then (see WhitelistMemberAccessPolicy).
-# This is a blacklist, that is, methods mentioned here will be not be
accessible, but everything else will be.
+# This is a blacklist, that is, methods mentioned here will not be accessible,
but everything else will be.
# Furthermore, overridden version of the blacklisted methods will be
accessible (which is strange, but we kept backward
# compatibility).
@@ -77,7 +77,6 @@ java.lang.ThreadGroup.resume()
java.lang.ThreadGroup.setDaemon(boolean)
java.lang.ThreadGroup.setMaxPriority(int)
java.lang.ThreadGroup.stop()
-java.lang.Thread.suspend()
java.lang.Runtime.addShutdownHook(java.lang.Thread)
java.lang.Runtime.exec(java.lang.String)
@@ -104,3 +103,5 @@ java.lang.System.setOut(java.io.PrintStream)
java.lang.System.setProperties(java.util.Properties)
java.lang.System.setProperty(java.lang.String,java.lang.String)
java.lang.System.setSecurityManager(java.lang.SecurityManager)
+
+java.security.ProtectionDomain.getClassLoader()
diff --git a/src/manual/en_US/book.xml b/src/manual/en_US/book.xml
index baef4747..e58f5462 100644
--- a/src/manual/en_US/book.xml
+++ b/src/manual/en_US/book.xml
@@ -30302,6 +30302,17 @@ TemplateModel x = env.getVariable("x"); // get
variable x</programlisting>
xlink:href="https://github.com/apache/freemarker/pull/82";>GitHub
PR 82</link>)</para>
</listitem>
+
+ <listitem>
+ <para>Slightly improved
+ <literal>DefaultMemberAccessPolicy-rules</literal> (used by
+ default), and <literal>unsafeMethods.properties</literal> (long
+ deprecated, not used by default). Note that no matter how much
+ we tweak these, they will never provide proper security if you
+ have untrusted templates! See <link
+ linkend="faq_template_uploading_security">this in the
+ FAQ</link>!</para>
+ </listitem>
</itemizedlist>
</section>
</section>
