This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit a6e8b05135f07a6c6aa383e0d0bd4226a46f9c7e Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Mon May 18 12:06:28 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) Some people may want to use another TemplateClassResolver than SAFER_RESOLVER This creates a new templateClassResolver security property and uses it in FreeMarkerWorker::makeConfiguration by default --- .../org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 11 ++++++++++- framework/security/config/security.properties | 9 +++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index 6cae5aa..56b2eee 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -65,6 +65,7 @@ import freemarker.template.TemplateHashModel; import freemarker.template.TemplateModel; import freemarker.template.TemplateModelException; import freemarker.template.Version; +import freemarker.template.utility.ClassUtil; /** * FreeMarkerWorker - Freemarker Template Engine Utilities. @@ -126,7 +127,15 @@ public final class FreeMarkerWorker { } catch (TemplateException e) { Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, MODULE); } - newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER); + String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", + "SAFER_RESOLVER"); + try { + newConfig.setNewBuiltinClassResolver((TemplateClassResolver) + ClassUtil.forName("freemarker.core.TemplateClassResolver" + templateClassResolver) + .cast(templateClassResolver)); + } catch (ClassNotFoundException e) { + Debug.logError("No TemplateClassResolver." + templateClassResolver, MODULE); + } // Transforms properties file set up as key=transform name, property=transform class name ClassLoader loader = Thread.currentThread().getContextClassLoader(); transformsURL(loader).forEach(url -> { diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties index 52fbf08..d3b32d2 100644 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@ -185,3 +185,12 @@ csrf.entity.request.limit= # -- Use org.apache.ofbiz.security.CsrfDefenseStrategy # -- if you need to use a 'lax' for SameSiteCookieAttribute csrf.defense.strategy= + + +# -- Freemarker TemplateClassResolver option, see OFBIZ-11709. +# -- By default OFBiz uses the SAFER_RESOLVER because OOTB it does not use any of the Freemarker classes +# -- that SAFER_RESOLVER prevents: ObjectConstructor, Execute and JythonRuntime. +# -- If you need to use one to these classes you need to change the TemplateClassResolver +# -- to UNRESTRICTED_RESOLVER and look at MemberAccessPolicy. In any cases better read +# -- https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security +templateClassResolver=