[
https://issues.apache.org/jira/browse/OFBIZ-12196?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-12196.
-----------------------------------
Fix Version/s: Release Branch 17.12
18.12.01
Resolution: Implemented
> Update Freemaker to 2.3.31 in R17 and R18
> ------------------------------------------
>
> Key: OFBIZ-12196
> URL: https://issues.apache.org/jira/browse/OFBIZ-12196
> Project: OFBiz
> Issue Type: Improvement
> Components: framework/base
> Affects Versions: Release Branch 18.12, Release Branch 17.12
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.01, Release Branch 17.12
>
>
> That's for (low) security reason. There are no bugs in R17 and R18 but after
> reading about FREEMARKER-124 at
> https://freemarker.apache.org/docs/versions_2_3_30.html I believe we should
> update update Freemaker to 2.3.31 in R17 and R18
> bq. FREEMARKER-124 made the default filtering of class members more
> restrictive (when you are using BeansWrapper, or its subclasses like
> DefaultObjectWrapper). This is not strictly backward compatible, but unlikely
> to break any real-world applications; see
> src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules to
> see what was changed. This change was made for security reasons, but the
> default behavior will never be safe enough if untrusted users will edit
> templates; see in the FAQ. In the unlikely case this change breaks your
> application, then you can still use the old behavior by setting the
> memberAccessPolicy property of the object wrapper to
> LegacyDefaultMemberAccessPolicy.INSTANCE.
> I send this to the dev ML: https://markmail.org/message/r5yyhis5qwk53akn
> bq. After fixing OFBIZ-12195, I believe we should use Freemarker 2.3.31 in
> all supported branches because of possible (low but who knows...) security
> issues fixed since 2.3.30.
> Without answers in a week I'll do so...
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
