Criux opened a new pull request, #983: URL: https://github.com/apache/ofbiz-framework/pull/983
Improved: Allow the use of the whitelist restricted static Models in Freemarker to be globally switched off through the property freemarker.use-restricted-static-models in security.properties. (OFBIZ-13371) Explanation: Currently in trunk and 24.09.06 all static method (shared by the "Static" variable) in Freemarker templates need to be explicitly whitelisted so they can be called. Although this gives a lot of control over the execution context inside the freemarker templates, it might translate to a lot of effort for existing projects that rely heavily on custom plugins to upgrade to this version without introducing breaking changes, since the maintainers or plugin authors would have to create a comprehensive list of all the fully qualified names of methods used so that it can be included in the whitelist. For this reason, I propose to allow the whitelist to be turned off globally through a security property (enabled by default), to allow all projects to benefit from upgrading to this version but also be able to plan the effort for updating their whitelists at a more comfortable pace. In any case, the developers that decide to go back to the unrestricted "Static" variable, should be warned in a comment about the implications of their decision. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
