subject:"\[ofbiz\-framework\] branch release17.12 updated\: Improved\: Prevent FreeMarker Template Injection \(SSTI\)"

[ofbiz-framework] branch release17.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)

2020-05-18 Thread jleroux

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
 new c7a5b22  Improved: Prevent FreeMarker Template Injection (SSTI)
c7a5b22 is described below

commit c7a5b22e0ed287cfa4073da8b0037da7567ffea6
Author: Jacques Le Roux 
AuthorDate: Mon May 18 22:50:28 2020 +0200

Improved: Prevent FreeMarker Template Injection (SSTI)

(OFBIZ-11709)

This commit does 2 things:

Send a correct commit comment (kind of amendment, w/o push force)
Previous code compiled but SAFER_RESOLVER is not a class but a field, 
better KISS

Real change:
Better style with line not too long:
---
 .../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index f6b7222..ffd16b8 100644
--- 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++ 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -116,7 +116,8 @@ public final class FreeMarkerWorker {
 } catch (TemplateException e) {
 Debug.logError("Unable to set date/time and number formats in 
FreeMarker: " + e, module);
 }
-String templateClassResolver = 
UtilProperties.getPropertyValue("security", "templateClassResolver", 
"SAFER_RESOLVER");
+String templateClassResolver = 
UtilProperties.getPropertyValue("security", "templateClassResolver", 
+"SAFER_RESOLVER");
 switch (templateClassResolver) {
 case "UNRESTRICTED_RESOLVER":
 
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER);

[ofbiz-framework] branch release17.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)

2020-05-18 Thread jleroux

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
 new c502a97  Improved: Prevent FreeMarker Template Injection (SSTI)
c502a97 is described below

commit c502a978a0138b3cc1906ddd915f0b9f50c3689c
Author: Jacques Le Roux 
AuthorDate: Mon May 18 13:48:31 2020 +0200

Improved: Prevent FreeMarker Template Injection (SSTI)

(OFBIZ-11709)

Fixes all the conflicts previously handled by hand (no merge was possible)
---
 .../ofbiz/base/util/template/FreeMarkerWorker.java | 230 -
 1 file changed, 88 insertions(+), 142 deletions(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index 9d6c67a..814031a 100644
--- 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++ 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -1,4 +1,4 @@
-/*
+/***
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -15,7 +15,7 @@
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
- */
+ 
***/
 package org.apache.ofbiz.base.util.template;
 
 import java.io.File;
@@ -23,20 +23,18 @@ import java.io.IOException;
 import java.io.Writer;
 import java.net.URL;
 import java.util.ArrayList;
+import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
-import java.util.Objects;
 import java.util.Properties;
 import java.util.Set;
 import java.util.TimeZone;
-import java.util.stream.Stream;
 
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 
-import org.apache.ofbiz.base.component.ComponentConfig;
 import org.apache.ofbiz.base.location.FlexibleLocation;
 import org.apache.ofbiz.base.util.Debug;
 import org.apache.ofbiz.base.util.StringUtil;
@@ -45,7 +43,6 @@ import org.apache.ofbiz.base.util.UtilMisc;
 import org.apache.ofbiz.base.util.UtilProperties;
 import org.apache.ofbiz.base.util.UtilValidate;
 import org.apache.ofbiz.base.util.cache.UtilCache;
-import org.apache.ofbiz.widget.model.ModelWidget;
 
 import freemarker.cache.MultiTemplateLoader;
 import freemarker.cache.StringTemplateLoader;
@@ -61,6 +58,7 @@ import freemarker.template.SimpleHash;
 import freemarker.template.SimpleScalar;
 import freemarker.template.Template;
 import freemarker.template.TemplateException;
+import freemarker.template.TemplateExceptionHandler;
 import freemarker.template.TemplateHashModel;
 import freemarker.template.TemplateModel;
 import freemarker.template.TemplateModelException;
@@ -71,28 +69,24 @@ import freemarker.template.utility.ClassUtil;
  * FreeMarkerWorker - Freemarker Template Engine Utilities.
  */
 public final class FreeMarkerWorker {
-/** The template used to retrieved Freemarker transforms from multiple 
component classpaths. */
-private static final String TRANSFORMS_PROPERTIES = 
"org/apache/ofbiz/%s/freemarkerTransforms.properties";
 
-private static final String MODULE = FreeMarkerWorker.class.getName();
+public static final String module = FreeMarkerWorker.class.getName();
 
-public static final Version VERSION = Configuration.VERSION_2_3_30;
+public static final Version version = Configuration.VERSION_2_3_28;
 
-private FreeMarkerWorker() { }
+private FreeMarkerWorker () {}
 
-// Use soft references for this so that things from Content records don't 
kill all of our memory,
-// or maybe not for performance reasons... hmmm, leave to config file...
-private static final UtilCache CACHED_TEMPLATES =
-UtilCache.createUtilCache("template.ftl.general", 0, 0, false);
-private static final BeansWrapper DEFAULT_OFBIZ_WRAPPER = new 
BeansWrapperBuilder(VERSION).build();
-private static final Configuration DEFAULT_OFBIZ_CONFIG = 
makeConfiguration(DEFAULT_OFBIZ_WRAPPER);
+// use soft references for this so that things from Content records don't 
kill all of our memory, or maybe not for performance reasons... hmmm, leave to 
config file...
+private static final UtilCache cachedTemplates = 
UtilCache.createUtilCache("template.ftl.general", 0, 0, false);
+private static final BeansWrapper defaultOfbizWrapper = new 
BeansWrapperBuilder(version).build();
+private static final Configuration defaultOfbizConfig =

[ofbiz-framework] branch release17.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)

2020-05-18 Thread jleroux

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
 new babd232  Improved: Prevent FreeMarker Template Injection (SSTI)
babd232 is described below

commit babd23282ee61f1b840899a3785e89da5f202131
Author: Jacques Le Roux 
AuthorDate: Mon May 18 13:35:02 2020 +0200

Improved: Prevent FreeMarker Template Injection (SSTI)

(OFBIZ-11709)

Some people may want to use another TemplateClassResolver than 
SAFER_RESOLVER
This creates a new templateClassResolver security property and uses it in
FreeMarkerWorker::makeConfiguration by default

Conflicts all handled by hand (no merge possible)
---
 .../ofbiz/base/util/template/FreeMarkerWorker.java | 230 +
 framework/security/config/security.properties  |   7 +
 2 files changed, 153 insertions(+), 84 deletions(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index 6c45127..9d6c67a 100644
--- 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++ 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -1,4 +1,4 @@
-/***
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -15,7 +15,7 @@
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
- 
***/
+ */
 package org.apache.ofbiz.base.util.template;
 
 import java.io.File;
@@ -23,18 +23,20 @@ import java.io.IOException;
 import java.io.Writer;
 import java.net.URL;
 import java.util.ArrayList;
-import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Properties;
 import java.util.Set;
 import java.util.TimeZone;
+import java.util.stream.Stream;
 
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 
+import org.apache.ofbiz.base.component.ComponentConfig;
 import org.apache.ofbiz.base.location.FlexibleLocation;
 import org.apache.ofbiz.base.util.Debug;
 import org.apache.ofbiz.base.util.StringUtil;
@@ -43,6 +45,7 @@ import org.apache.ofbiz.base.util.UtilMisc;
 import org.apache.ofbiz.base.util.UtilProperties;
 import org.apache.ofbiz.base.util.UtilValidate;
 import org.apache.ofbiz.base.util.cache.UtilCache;
+import org.apache.ofbiz.widget.model.ModelWidget;
 
 import freemarker.cache.MultiTemplateLoader;
 import freemarker.cache.StringTemplateLoader;
@@ -58,34 +61,38 @@ import freemarker.template.SimpleHash;
 import freemarker.template.SimpleScalar;
 import freemarker.template.Template;
 import freemarker.template.TemplateException;
-import freemarker.template.TemplateExceptionHandler;
 import freemarker.template.TemplateHashModel;
 import freemarker.template.TemplateModel;
 import freemarker.template.TemplateModelException;
 import freemarker.template.Version;
+import freemarker.template.utility.ClassUtil;
 
 /**
  * FreeMarkerWorker - Freemarker Template Engine Utilities.
  */
 public final class FreeMarkerWorker {
+/** The template used to retrieved Freemarker transforms from multiple 
component classpaths. */
+private static final String TRANSFORMS_PROPERTIES = 
"org/apache/ofbiz/%s/freemarkerTransforms.properties";
 
-public static final String module = FreeMarkerWorker.class.getName();
+private static final String MODULE = FreeMarkerWorker.class.getName();
 
-public static final Version version = Configuration.VERSION_2_3_28;
+public static final Version VERSION = Configuration.VERSION_2_3_30;
 
-private FreeMarkerWorker () {}
+private FreeMarkerWorker() { }
 
-// use soft references for this so that things from Content records don't 
kill all of our memory, or maybe not for performance reasons... hmmm, leave to 
config file...
-private static final UtilCache cachedTemplates = 
UtilCache.createUtilCache("template.ftl.general", 0, 0, false);
-private static final BeansWrapper defaultOfbizWrapper = new 
BeansWrapperBuilder(version).build();
-private static final Configuration defaultOfbizConfig = 
makeConfiguration(defaultOfbizWrapper);
+// Use soft references for this so that things from Content records don't 
kill all of our memory,
+// or maybe not for performance reasons... hmmm, leave to config file...
+private static final UtilCache

[ofbiz-framework] branch release17.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)

[ofbiz-framework] branch release17.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)

[ofbiz-framework] branch release17.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)

3 matches

Site Navigation

Mail list logo

Footer information