Clone
Jacques Le Roux <jacques.le.roux@les7arts.com>
committed
on 16 May
Fixed: Prevent FreeMarker Template Injection (SSTI)
(OFBIZ-11709)

Since Freemarker 2.3.17 a known solution to these issues is to register a… Show more
Fixed: Prevent FreeMarker Template Injection (SSTI)

(OFBIZ-11709)

Since Freemarker 2.3.17 a known solution to these issues is to register a

TemplateClassResolver in Freemarker configuration in order to limit which

TemplateModels can be instantiated in the templates. The predefined resolver

SAFER_RESOLVER doesn't allow to instantiate the Execute class[4].

So the solution is to add the line

   newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);

in FreeMarkerWorker.java

Show less