[ofbiz-framework] branch release18.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new a67508c Improved: Prevent FreeMarker Template Injection (SSTI) a67508c is described below commit a67508c29c1454a07448219cfa700f71132fb248 Author: Jacques Le Roux AuthorDate: Mon May 18 22:51:24 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) Better style with line not too long --- .../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index f377e05..d8ff395 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -116,7 +116,8 @@ public final class FreeMarkerWorker { } catch (TemplateException e) { Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, module); } -String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", "SAFER_RESOLVER"); +String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", +"SAFER_RESOLVER"); switch (templateClassResolver) { case "UNRESTRICTED_RESOLVER": newConfig.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER);
[ofbiz-framework] branch release18.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new 191798f Improved: Prevent FreeMarker Template Injection (SSTI) 191798f is described below commit 191798f3af3125c9229baee2813508be39644dfd Author: Jacques Le Roux AuthorDate: Mon May 18 15:37:30 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) Fixes a typo: module instead of MODULE --- .../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index 20765fc..f377e05 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -35,7 +35,6 @@ import java.util.TimeZone; import javax.servlet.ServletContext; import javax.servlet.http.HttpServletRequest; -import org.apache.ofbiz.base.component.ComponentConfig; import org.apache.ofbiz.base.location.FlexibleLocation; import org.apache.ofbiz.base.util.Debug; import org.apache.ofbiz.base.util.StringUtil; @@ -129,7 +128,7 @@ public final class FreeMarkerWorker { newConfig.setNewBuiltinClassResolver(TemplateClassResolver.ALLOWS_NOTHING_RESOLVER); break; default: -Debug.logError("Not a TemplateClassResolver.", MODULE); +Debug.logError("Not a TemplateClassResolver.", module); break; } // Transforms properties file set up as key=transform name, property=transform class name
[ofbiz-framework] branch release18.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new 07f48a3 Improved: Prevent FreeMarker Template Injection (SSTI) 07f48a3 is described below commit 07f48a3334fcd11a1d6c8e3236887dd3b535863c Author: Jacques Le Roux AuthorDate: Mon May 18 14:03:33 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) Previous code compiled but the class was not found, better KISS --- .../ofbiz/base/util/template/FreeMarkerWorker.java | 23 +- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index 539d423..20765fc 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -64,7 +64,6 @@ import freemarker.template.TemplateHashModel; import freemarker.template.TemplateModel; import freemarker.template.TemplateModelException; import freemarker.template.Version; -import freemarker.template.utility.ClassUtil; /** * FreeMarkerWorker - Freemarker Template Engine Utilities. @@ -118,14 +117,20 @@ public final class FreeMarkerWorker { } catch (TemplateException e) { Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, module); } -String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", -"SAFER_RESOLVER"); -try { -newConfig.setNewBuiltinClassResolver((TemplateClassResolver) -ClassUtil.forName("freemarker.core.TemplateClassResolver" + templateClassResolver) -.cast(templateClassResolver)); -} catch (ClassNotFoundException e) { -Debug.logError("No TemplateClassResolver." + templateClassResolver, MODULE); +String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", "SAFER_RESOLVER"); +switch (templateClassResolver) { +case "UNRESTRICTED_RESOLVER": + newConfig.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER); +break; +case "SAFER_RESOLVER": + newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER); +break; +case "ALLOWS_NOTHING_RESOLVER": + newConfig.setNewBuiltinClassResolver(TemplateClassResolver.ALLOWS_NOTHING_RESOLVER); +break; +default: +Debug.logError("Not a TemplateClassResolver.", MODULE); +break; } // Transforms properties file set up as key=transform name, property=transform class name ClassLoader loader = Thread.currentThread().getContextClassLoader();
[ofbiz-framework] branch release18.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new b97d6bf Improved: Prevent FreeMarker Template Injection (SSTI) b97d6bf is described below commit b97d6bf1e28c1ffc062af08fc7da2769fc3672d5 Author: Jacques Le Roux AuthorDate: Mon May 18 12:06:28 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) Some people may want to use another TemplateClassResolver than SAFER_RESOLVER This creates a new templateClassResolver security property and uses it in FreeMarkerWorker::makeConfiguration by default Conflicts handled by hand framework/security/config/security.properties --- .../org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 11 ++- framework/security/config/security.properties | 7 +++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index fa368a1..539d423 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -64,6 +64,7 @@ import freemarker.template.TemplateHashModel; import freemarker.template.TemplateModel; import freemarker.template.TemplateModelException; import freemarker.template.Version; +import freemarker.template.utility.ClassUtil; /** * FreeMarkerWorker - Freemarker Template Engine Utilities. @@ -117,7 +118,15 @@ public final class FreeMarkerWorker { } catch (TemplateException e) { Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, module); } - newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER); +String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", +"SAFER_RESOLVER"); +try { +newConfig.setNewBuiltinClassResolver((TemplateClassResolver) +ClassUtil.forName("freemarker.core.TemplateClassResolver" + templateClassResolver) +.cast(templateClassResolver)); +} catch (ClassNotFoundException e) { +Debug.logError("No TemplateClassResolver." + templateClassResolver, MODULE); +} // Transforms properties file set up as key=transform name, property=transform class name ClassLoader loader = Thread.currentThread().getContextClassLoader(); Enumeration resources; diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties index f5d3120..fa64fa5 100644 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@ -159,3 +159,10 @@ host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable # -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed SameSiteCookieAttribute= +# -- Freemarker TemplateClassResolver option, see OFBIZ-11709. +# -- By default OFBiz uses the SAFER_RESOLVER because OOTB it does not use any of the Freemarker classes +# -- that SAFER_RESOLVER prevents: ObjectConstructor, Execute and JythonRuntime. +# -- If you need to use one to these classes you need to change the TemplateClassResolver +# -- to UNRESTRICTED_RESOLVER and look at MemberAccessPolicy. In any cases better read +# -- https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security +templateClassResolver=