[
https://issues.apache.org/jira/browse/OFBIZ-12594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17516649#comment-17516649
]
ASF subversion and git services commented on OFBIZ-12594:
---------------------------------------------------------
Commit 843b1c7e71aa046dc8205cb1cdf14011ca17aaa8 in ofbiz-framework's branch
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=843b1c7e71 ]
Improved: Prevent Freemarker interpolation in fields (OFBIZ-12594)
OFBIZ_12587 is a definitive solution to prevent any kind of Freemarker exploits.
But it's hard to realise because OFBiz exposes objects, like attributes from the
Servlet scopes. So in the meantime preventing Freemarker interpolation in fields
is a pragmatic solution.
This is an improvement but needs to be backported because it kinda affects
security
Conflicts handled by hand
SeoContextFilter.java
ControlFilter.java
When I worked with Mathieu I did not measure how it will be hard sometimes to
backport later :/
> Prevent Freemarker interpolation in fields
> ------------------------------------------
>
> Key: OFBIZ-12594
> URL: https://issues.apache.org/jira/browse/OFBIZ-12594
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS, ALL PLUGINS
> Affects Versions: 18.12.06, 22.01.01
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
>
> OFBIZ-12587 is a definitive solution to prevent any kind of Freemarker
> exploits. But it's hard to realise because OFBiz exposes objects, like
> attributes from the Servlet scopes. So in the meantime preventing Freemarker
> interpolation in fields is a pragmatic solution.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
