[ofbiz-framework] branch release17.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new c7a5b22 Improved: Prevent FreeMarker Template Injection (SSTI) c7a5b22 is described below commit c7a5b22e0ed287cfa4073da8b0037da7567ffea6 Author: Jacques Le Roux AuthorDate: Mon May 18 22:50:28 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) This commit does 2 things: Send a correct commit comment (kind of amendment, w/o push force) Previous code compiled but SAFER_RESOLVER is not a class but a field, better KISS Real change: Better style with line not too long: --- .../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index f6b7222..ffd16b8 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -116,7 +116,8 @@ public final class FreeMarkerWorker { } catch (TemplateException e) { Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, module); } -String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", "SAFER_RESOLVER"); +String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", +"SAFER_RESOLVER"); switch (templateClassResolver) { case "UNRESTRICTED_RESOLVER": newConfig.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER);
[ofbiz-framework] branch release17.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new c502a97 Improved: Prevent FreeMarker Template Injection (SSTI) c502a97 is described below commit c502a978a0138b3cc1906ddd915f0b9f50c3689c Author: Jacques Le Roux AuthorDate: Mon May 18 13:48:31 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) Fixes all the conflicts previously handled by hand (no merge was possible) --- .../ofbiz/base/util/template/FreeMarkerWorker.java | 230 - 1 file changed, 88 insertions(+), 142 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index 9d6c67a..814031a 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -1,4 +1,4 @@ -/* +/*** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -15,7 +15,7 @@ * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. - */ + ***/ package org.apache.ofbiz.base.util.template; import java.io.File; @@ -23,20 +23,18 @@ import java.io.IOException; import java.io.Writer; import java.net.URL; import java.util.ArrayList; +import java.util.Enumeration; import java.util.HashMap; import java.util.List; import java.util.Locale; import java.util.Map; -import java.util.Objects; import java.util.Properties; import java.util.Set; import java.util.TimeZone; -import java.util.stream.Stream; import javax.servlet.ServletContext; import javax.servlet.http.HttpServletRequest; -import org.apache.ofbiz.base.component.ComponentConfig; import org.apache.ofbiz.base.location.FlexibleLocation; import org.apache.ofbiz.base.util.Debug; import org.apache.ofbiz.base.util.StringUtil; @@ -45,7 +43,6 @@ import org.apache.ofbiz.base.util.UtilMisc; import org.apache.ofbiz.base.util.UtilProperties; import org.apache.ofbiz.base.util.UtilValidate; import org.apache.ofbiz.base.util.cache.UtilCache; -import org.apache.ofbiz.widget.model.ModelWidget; import freemarker.cache.MultiTemplateLoader; import freemarker.cache.StringTemplateLoader; @@ -61,6 +58,7 @@ import freemarker.template.SimpleHash; import freemarker.template.SimpleScalar; import freemarker.template.Template; import freemarker.template.TemplateException; +import freemarker.template.TemplateExceptionHandler; import freemarker.template.TemplateHashModel; import freemarker.template.TemplateModel; import freemarker.template.TemplateModelException; @@ -71,28 +69,24 @@ import freemarker.template.utility.ClassUtil; * FreeMarkerWorker - Freemarker Template Engine Utilities. */ public final class FreeMarkerWorker { -/** The template used to retrieved Freemarker transforms from multiple component classpaths. */ -private static final String TRANSFORMS_PROPERTIES = "org/apache/ofbiz/%s/freemarkerTransforms.properties"; -private static final String MODULE = FreeMarkerWorker.class.getName(); +public static final String module = FreeMarkerWorker.class.getName(); -public static final Version VERSION = Configuration.VERSION_2_3_30; +public static final Version version = Configuration.VERSION_2_3_28; -private FreeMarkerWorker() { } +private FreeMarkerWorker () {} -// Use soft references for this so that things from Content records don't kill all of our memory, -// or maybe not for performance reasons... hmmm, leave to config file... -private static final UtilCache CACHED_TEMPLATES = -UtilCache.createUtilCache("template.ftl.general", 0, 0, false); -private static final BeansWrapper DEFAULT_OFBIZ_WRAPPER = new BeansWrapperBuilder(VERSION).build(); -private static final Configuration DEFAULT_OFBIZ_CONFIG = makeConfiguration(DEFAULT_OFBIZ_WRAPPER); +// use soft references for this so that things from Content records don't kill all of our memory, or maybe not for performance reasons... hmmm, leave to config file... +private static final UtilCache cachedTemplates = UtilCache.createUtilCache("template.ftl.general", 0, 0, false); +private static final BeansWrapper defaultOfbizWrapper = new BeansWrapperBuilder(version).build(); +private static final Configuration defaultOfbizConfig =
[ofbiz-framework] branch release17.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new babd232 Improved: Prevent FreeMarker Template Injection (SSTI) babd232 is described below commit babd23282ee61f1b840899a3785e89da5f202131 Author: Jacques Le Roux AuthorDate: Mon May 18 13:35:02 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) Some people may want to use another TemplateClassResolver than SAFER_RESOLVER This creates a new templateClassResolver security property and uses it in FreeMarkerWorker::makeConfiguration by default Conflicts all handled by hand (no merge possible) --- .../ofbiz/base/util/template/FreeMarkerWorker.java | 230 + framework/security/config/security.properties | 7 + 2 files changed, 153 insertions(+), 84 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index 6c45127..9d6c67a 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -1,4 +1,4 @@ -/*** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -15,7 +15,7 @@ * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. - ***/ + */ package org.apache.ofbiz.base.util.template; import java.io.File; @@ -23,18 +23,20 @@ import java.io.IOException; import java.io.Writer; import java.net.URL; import java.util.ArrayList; -import java.util.Enumeration; import java.util.HashMap; import java.util.List; import java.util.Locale; import java.util.Map; +import java.util.Objects; import java.util.Properties; import java.util.Set; import java.util.TimeZone; +import java.util.stream.Stream; import javax.servlet.ServletContext; import javax.servlet.http.HttpServletRequest; +import org.apache.ofbiz.base.component.ComponentConfig; import org.apache.ofbiz.base.location.FlexibleLocation; import org.apache.ofbiz.base.util.Debug; import org.apache.ofbiz.base.util.StringUtil; @@ -43,6 +45,7 @@ import org.apache.ofbiz.base.util.UtilMisc; import org.apache.ofbiz.base.util.UtilProperties; import org.apache.ofbiz.base.util.UtilValidate; import org.apache.ofbiz.base.util.cache.UtilCache; +import org.apache.ofbiz.widget.model.ModelWidget; import freemarker.cache.MultiTemplateLoader; import freemarker.cache.StringTemplateLoader; @@ -58,34 +61,38 @@ import freemarker.template.SimpleHash; import freemarker.template.SimpleScalar; import freemarker.template.Template; import freemarker.template.TemplateException; -import freemarker.template.TemplateExceptionHandler; import freemarker.template.TemplateHashModel; import freemarker.template.TemplateModel; import freemarker.template.TemplateModelException; import freemarker.template.Version; +import freemarker.template.utility.ClassUtil; /** * FreeMarkerWorker - Freemarker Template Engine Utilities. */ public final class FreeMarkerWorker { +/** The template used to retrieved Freemarker transforms from multiple component classpaths. */ +private static final String TRANSFORMS_PROPERTIES = "org/apache/ofbiz/%s/freemarkerTransforms.properties"; -public static final String module = FreeMarkerWorker.class.getName(); +private static final String MODULE = FreeMarkerWorker.class.getName(); -public static final Version version = Configuration.VERSION_2_3_28; +public static final Version VERSION = Configuration.VERSION_2_3_30; -private FreeMarkerWorker () {} +private FreeMarkerWorker() { } -// use soft references for this so that things from Content records don't kill all of our memory, or maybe not for performance reasons... hmmm, leave to config file... -private static final UtilCache cachedTemplates = UtilCache.createUtilCache("template.ftl.general", 0, 0, false); -private static final BeansWrapper defaultOfbizWrapper = new BeansWrapperBuilder(version).build(); -private static final Configuration defaultOfbizConfig = makeConfiguration(defaultOfbizWrapper); +// Use soft references for this so that things from Content records don't kill all of our memory, +// or maybe not for performance reasons... hmmm, leave to config file... +private static final UtilCache