[
https://issues.apache.org/jira/browse/OFBIZ-12594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17524945#comment-17524945
]
ASF subversion and git services commented on OFBIZ-12594:
---------------------------------------------------------
Commit aead9557982bc17705e39a11a53ae21878a4b0b6 in ofbiz-framework's branch
refs/heads/release22.01 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=aead955798 ]
Fixed: XML Import fails due to security check (OFBIZ-12602)
When importing an entity with "${" in for at least an element it's rejected
because of the security check done to protect from Freemarker unauth attacks
(see OFBIZ-12594).
As suggested by Ingo, allowing users with appropriate permissions seems an
usable solution. We still need to define the "appropriate permissions".
We can start with OFBTOOLS and WEBTOOLS, as it's reported by Ingo, and add
others later if they ever come.
Thanks: Ingo Wolfmayr for report and suggestion
> Prevent Freemarker interpolation in fields
> ------------------------------------------
>
> Key: OFBIZ-12594
> URL: https://issues.apache.org/jira/browse/OFBIZ-12594
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL APPLICATIONS, ALL PLUGINS
> Affects Versions: 18.12.06, 22.01.01
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.06, 22.01.01
>
>
> OFBIZ-12587 is a definitive solution to prevent any kind of Freemarker
> exploits. But it's hard to realise because OFBiz exposes objects, like
> attributes from the Servlet scopes. So in the meantime preventing Freemarker
> interpolation in fields is a pragmatic solution.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
