[ofbiz-framework] branch release18.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new a67508c Improved: Prevent FreeMarker Template Injection (SSTI)
a67508c is described below
commit a67508c29c1454a07448219cfa700f71132fb248
Author: Jacques Le Roux
AuthorDate: Mon May 18 22:51:24 2020 +0200
Improved: Prevent FreeMarker Template Injection (SSTI)
(OFBIZ-11709)
Better style with line not too long
---
.../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index f377e05..d8ff395 100644
---
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -116,7 +116,8 @@ public final class FreeMarkerWorker {
} catch (TemplateException e) {
Debug.logError("Unable to set date/time and number formats in
FreeMarker: " + e, module);
}
-String templateClassResolver =
UtilProperties.getPropertyValue("security", "templateClassResolver",
"SAFER_RESOLVER");
+String templateClassResolver =
UtilProperties.getPropertyValue("security", "templateClassResolver",
+"SAFER_RESOLVER");
switch (templateClassResolver) {
case "UNRESTRICTED_RESOLVER":
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER);
[ofbiz-framework] branch release18.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 191798f Improved: Prevent FreeMarker Template Injection (SSTI)
191798f is described below
commit 191798f3af3125c9229baee2813508be39644dfd
Author: Jacques Le Roux
AuthorDate: Mon May 18 15:37:30 2020 +0200
Improved: Prevent FreeMarker Template Injection (SSTI)
(OFBIZ-11709)
Fixes a typo: module instead of MODULE
---
.../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index 20765fc..f377e05 100644
---
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -35,7 +35,6 @@ import java.util.TimeZone;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
-import org.apache.ofbiz.base.component.ComponentConfig;
import org.apache.ofbiz.base.location.FlexibleLocation;
import org.apache.ofbiz.base.util.Debug;
import org.apache.ofbiz.base.util.StringUtil;
@@ -129,7 +128,7 @@ public final class FreeMarkerWorker {
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.ALLOWS_NOTHING_RESOLVER);
break;
default:
-Debug.logError("Not a TemplateClassResolver.", MODULE);
+Debug.logError("Not a TemplateClassResolver.", module);
break;
}
// Transforms properties file set up as key=transform name,
property=transform class name
[ofbiz-framework] branch release18.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 07f48a3 Improved: Prevent FreeMarker Template Injection (SSTI)
07f48a3 is described below
commit 07f48a3334fcd11a1d6c8e3236887dd3b535863c
Author: Jacques Le Roux
AuthorDate: Mon May 18 14:03:33 2020 +0200
Improved: Prevent FreeMarker Template Injection (SSTI)
(OFBIZ-11709)
Previous code compiled but the class was not found, better KISS
---
.../ofbiz/base/util/template/FreeMarkerWorker.java | 23 +-
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index 539d423..20765fc 100644
---
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -64,7 +64,6 @@ import freemarker.template.TemplateHashModel;
import freemarker.template.TemplateModel;
import freemarker.template.TemplateModelException;
import freemarker.template.Version;
-import freemarker.template.utility.ClassUtil;
/**
* FreeMarkerWorker - Freemarker Template Engine Utilities.
@@ -118,14 +117,20 @@ public final class FreeMarkerWorker {
} catch (TemplateException e) {
Debug.logError("Unable to set date/time and number formats in
FreeMarker: " + e, module);
}
-String templateClassResolver =
UtilProperties.getPropertyValue("security", "templateClassResolver",
-"SAFER_RESOLVER");
-try {
-newConfig.setNewBuiltinClassResolver((TemplateClassResolver)
-ClassUtil.forName("freemarker.core.TemplateClassResolver"
+ templateClassResolver)
-.cast(templateClassResolver));
-} catch (ClassNotFoundException e) {
-Debug.logError("No TemplateClassResolver." +
templateClassResolver, MODULE);
+String templateClassResolver =
UtilProperties.getPropertyValue("security", "templateClassResolver",
"SAFER_RESOLVER");
+switch (templateClassResolver) {
+case "UNRESTRICTED_RESOLVER":
+
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER);
+break;
+case "SAFER_RESOLVER":
+
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
+break;
+case "ALLOWS_NOTHING_RESOLVER":
+
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.ALLOWS_NOTHING_RESOLVER);
+break;
+default:
+Debug.logError("Not a TemplateClassResolver.", MODULE);
+break;
}
// Transforms properties file set up as key=transform name,
property=transform class name
ClassLoader loader = Thread.currentThread().getContextClassLoader();
[ofbiz-framework] branch release18.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new b97d6bf Improved: Prevent FreeMarker Template Injection (SSTI)
b97d6bf is described below
commit b97d6bf1e28c1ffc062af08fc7da2769fc3672d5
Author: Jacques Le Roux
AuthorDate: Mon May 18 12:06:28 2020 +0200
Improved: Prevent FreeMarker Template Injection (SSTI)
(OFBIZ-11709)
Some people may want to use another TemplateClassResolver than
SAFER_RESOLVER
This creates a new templateClassResolver security property and uses it in
FreeMarkerWorker::makeConfiguration by default
Conflicts handled by hand
framework/security/config/security.properties
---
.../org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 11 ++-
framework/security/config/security.properties | 7 +++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index fa368a1..539d423 100644
---
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -64,6 +64,7 @@ import freemarker.template.TemplateHashModel;
import freemarker.template.TemplateModel;
import freemarker.template.TemplateModelException;
import freemarker.template.Version;
+import freemarker.template.utility.ClassUtil;
/**
* FreeMarkerWorker - Freemarker Template Engine Utilities.
@@ -117,7 +118,15 @@ public final class FreeMarkerWorker {
} catch (TemplateException e) {
Debug.logError("Unable to set date/time and number formats in
FreeMarker: " + e, module);
}
-
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
+String templateClassResolver =
UtilProperties.getPropertyValue("security", "templateClassResolver",
+"SAFER_RESOLVER");
+try {
+newConfig.setNewBuiltinClassResolver((TemplateClassResolver)
+ClassUtil.forName("freemarker.core.TemplateClassResolver"
+ templateClassResolver)
+.cast(templateClassResolver));
+} catch (ClassNotFoundException e) {
+Debug.logError("No TemplateClassResolver." +
templateClassResolver, MODULE);
+}
// Transforms properties file set up as key=transform name,
property=transform class name
ClassLoader loader = Thread.currentThread().getContextClassLoader();
Enumeration resources;
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index f5d3120..fa64fa5 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -159,3 +159,10 @@
host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable
# -- By default the SameSite value in SameSiteFilter is strict. This allows to
change it to lax if needed
SameSiteCookieAttribute=
+# -- Freemarker TemplateClassResolver option, see OFBIZ-11709.
+# -- By default OFBiz uses the SAFER_RESOLVER because OOTB it does not use any
of the Freemarker classes
+# -- that SAFER_RESOLVER prevents: ObjectConstructor, Execute and
JythonRuntime.
+# -- If you need to use one to these classes you need to change the
TemplateClassResolver
+# -- to UNRESTRICTED_RESOLVER and look at MemberAccessPolicy. In any cases
better read
+# --
https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
+templateClassResolver=
