Jacques Le Roux created OFBIZ-12196:
---------------------------------------
Summary: Update Freemaker to 2.3.31 in R17 and R18
Key: OFBIZ-12196
URL: https://issues.apache.org/jira/browse/OFBIZ-12196
Project: OFBiz
Issue Type: Improvement
Components: framework/base
Affects Versions: Release Branch 18.12, Release Branch 17.12
Reporter: Jacques Le Roux
Assignee: Jacques Le Roux
That's for (low) security reason. There are no bugs in R17 and R18 but after
reading about FREEMARKER-124 at
https://freemarker.apache.org/docs/versions_2_3_30.html I believe we should
update update Freemaker to 2.3.31 in R17 and R18
bq. FREEMARKER-124 made the default filtering of class members more
restrictive (when you are using BeansWrapper, or its subclasses like
DefaultObjectWrapper). This is not strictly backward compatible, but unlikely
to break any real-world applications; see
src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules to see
what was changed. This change was made for security reasons, but the default
behavior will never be safe enough if untrusted users will edit templates; see
in the FAQ. In the unlikely case this change breaks your application, then you
can still use the old behavior by setting the memberAccessPolicy property of
the object wrapper to LegacyDefaultMemberAccessPolicy.INSTANCE.
I send this to the dev ML: https://markmail.org/message/r5yyhis5qwk53akn
bq. After fixing OFBIZ-12195, I believe we should use Freemarker 2.3.31 in
all supported branches because of possible (low but who knows...) security
issues fixed since 2.3.30.
Withouth answers in a week I'll do so...
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
