freemarker-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "bato (JIRA)" <j...@apache.org>
Subject [jira] [Created] (FREEMARKER-96) StringTemplateLoader why check path security
Date Tue, 08 May 2018 00:18:00 GMT
bato created FREEMARKER-96:
------------------------------

             Summary: StringTemplateLoader why check path security
                 Key: FREEMARKER-96
                 URL: https://issues.apache.org/jira/browse/FREEMARKER-96
             Project: Apache Freemarker
          Issue Type: Bug
    Affects Versions: 2.3.28
         Environment: Java 8
            Reporter: bato


when i do this

StringTemplateLoader stringLoader = new StringTemplateLoader();

cfg.setTemplateLoader(stringLoader);
 // 
 stringLoader.putTemplate("Template1", "Hello ${user} \n");
 stringLoader.putTemplate("../Template2", "Hello ${user1} ${user2}");
 // 
 Template temp1 = cfg.getTemplate("Template1");
 Template temp2 = cfg.getTemplate("../Template2");

will get this exception

freemarker.template.TemplateNotFoundException: Template not found for name "../Template2".
Reason given: Backing out from the root directory is not allowed.
The name was interpreted by this TemplateLoader: StringTemplateLoader(Map \{ "Template1"=...,
"../Template2"=... }).

.......

check root path why security is important I know, but it is StringTemplateLoader not file
right ?

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message