[ https://issues.apache.org/jira/browse/OFBIZ-12196?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-12196. ----------------------------------- Fix Version/s: Release Branch 17.12 18.12.01 Resolution: Implemented > Update Freemaker to 2.3.31 in R17 and R18 > ------------------------------------------ > > Key: OFBIZ-12196 > URL: https://issues.apache.org/jira/browse/OFBIZ-12196 > Project: OFBiz > Issue Type: Improvement > Components: framework/base > Affects Versions: Release Branch 18.12, Release Branch 17.12 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 18.12.01, Release Branch 17.12 > > > That's for (low) security reason. There are no bugs in R17 and R18 but after > reading about FREEMARKER-124 at > https://freemarker.apache.org/docs/versions_2_3_30.html I believe we should > update update Freemaker to 2.3.31 in R17 and R18 > bq. FREEMARKER-124 made the default filtering of class members more > restrictive (when you are using BeansWrapper, or its subclasses like > DefaultObjectWrapper). This is not strictly backward compatible, but unlikely > to break any real-world applications; see > src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules to > see what was changed. This change was made for security reasons, but the > default behavior will never be safe enough if untrusted users will edit > templates; see in the FAQ. In the unlikely case this change breaks your > application, then you can still use the old behavior by setting the > memberAccessPolicy property of the object wrapper to > LegacyDefaultMemberAccessPolicy.INSTANCE. > I send this to the dev ML: https://markmail.org/message/r5yyhis5qwk53akn > bq. After fixing OFBIZ-12195, I believe we should use Freemarker 2.3.31 in > all supported branches because of possible (low but who knows...) security > issues fixed since 2.3.30. > Without answers in a week I'll do so... -- This message was sent by Atlassian Jira (v8.3.4#803005)