[ https://issues.apache.org/jira/browse/OFBIZ-12594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17518055#comment-17518055 ]
ASF subversion and git services commented on OFBIZ-12594: --------------------------------------------------------- Commit b5370cbf51f9442b70ff61ed288fd442ff657ef9 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b5370cbf51 ] Fixed: Prevent Freemarker interpolation in fields (OFBIZ-12594) I did not catch an issue put in by this feature because BuildBot is not running for few days (see INFRA-23076) and i don't always run tests locally (relying on BuildBot and GH actions don't run tests). This is the error Solr tests throw else: <<Unfortunately, the stream was empty / not available. This may be caused by another servlet filter calling ServletRequest.getParameter*() before SolrDispatchFilter>> Got an issue with previous commit (I guess confusion with 22.01) > Prevent Freemarker interpolation in fields > ------------------------------------------ > > Key: OFBIZ-12594 > URL: https://issues.apache.org/jira/browse/OFBIZ-12594 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS, ALL PLUGINS > Affects Versions: 18.12.06, 22.01.01 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 18.12.06, 22.01.01 > > > OFBIZ-12587 is a definitive solution to prevent any kind of Freemarker > exploits. But it's hard to realise because OFBiz exposes objects, like > attributes from the Servlet scopes. So in the meantime preventing Freemarker > interpolation in fields is a pragmatic solution. -- This message was sent by Atlassian Jira (v8.20.1#820001)