freemarker-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "bato (JIRA)" <>
Subject [jira] [Created] (FREEMARKER-96) StringTemplateLoader why check path security
Date Tue, 08 May 2018 00:18:00 GMT
bato created FREEMARKER-96:

             Summary: StringTemplateLoader why check path security
                 Key: FREEMARKER-96
             Project: Apache Freemarker
          Issue Type: Bug
    Affects Versions: 2.3.28
         Environment: Java 8
            Reporter: bato

when i do this

StringTemplateLoader stringLoader = new StringTemplateLoader();

 stringLoader.putTemplate("Template1", "Hello ${user} \n");
 stringLoader.putTemplate("../Template2", "Hello ${user1} ${user2}");
 Template temp1 = cfg.getTemplate("Template1");
 Template temp2 = cfg.getTemplate("../Template2");

will get this exception

freemarker.template.TemplateNotFoundException: Template not found for name "../Template2".
Reason given: Backing out from the root directory is not allowed.
The name was interpreted by this TemplateLoader: StringTemplateLoader(Map \{ "Template1"=...,
"../Template2"=... }).


check root path why security is important I know, but it is StringTemplateLoader not file
right ?


This message was sent by Atlassian JIRA

View raw message