From notifications-return-5858-archive-asf-public=cust-asf.ponee.io@freemarker.apache.org Fri Jan 18 11:25:28 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 1683B180647 for ; Fri, 18 Jan 2019 11:25:27 +0100 (CET) Received: (qmail 38823 invoked by uid 500); 18 Jan 2019 10:25:27 -0000 Mailing-List: contact notifications-help@freemarker.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@freemarker.apache.org Delivered-To: mailing list notifications@freemarker.apache.org Received: (qmail 38813 invoked by uid 99); 18 Jan 2019 10:25:27 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Jan 2019 10:25:27 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id 8638E87628; Fri, 18 Jan 2019 10:25:26 +0000 (UTC) Date: Fri, 18 Jan 2019 10:25:26 +0000 To: "notifications@freemarker.apache.org" Subject: [freemarker-site] branch asf-site updated: Updated FAQ MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Message-ID: <154780712649.10513.11691868579332109806@gitbox.apache.org> From: ddekany@apache.org X-Git-Host: gitbox.apache.org X-Git-Repo: freemarker-site X-Git-Refname: refs/heads/asf-site X-Git-Reftype: branch X-Git-Oldrev: ad4200f0acc9f2187c1ab54b501378e4ab4b9b0d X-Git-Newrev: a8a9b9bce6853bb255ad3c4de3bcec3aa7858eba X-Git-Rev: a8a9b9bce6853bb255ad3c4de3bcec3aa7858eba X-Git-NotificationType: ref_changed_plus_diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated This is an automated email from the ASF dual-hosted git repository. ddekany pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/freemarker-site.git The following commit(s) were added to refs/heads/asf-site by this push: new a8a9b9b Updated FAQ a8a9b9b is described below commit a8a9b9bce6853bb255ad3c4de3bcec3aa7858eba Author: ddekany AuthorDate: Fri Jan 18 11:25:21 2019 +0100 Updated FAQ --- docs/app_faq.html | 68 +++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 48 insertions(+), 20 deletions(-) diff --git a/docs/app_faq.html b/docs/app_faq.html index 6540017..5e36c8a 100644 --- a/docs/app_faq.html +++ b/docs/app_faq.html @@ -1621,37 +1621,56 @@ TemplateModel x = env.getVariable("x"); // get variable x
  • -

    Denial-of-Service (DoS) attacks: It's trivial to create - templates that run practically forever (with a loop), or - exhaust memory (by concatenating to a string in a loop). - FreeMarker can't enforce CPU or memory usage limits, so this - is something that has no solution on the - FreeMarker-level.

    -
    • - -

  • Data-model and wrapping (Configuration.setObjectWrapper): The data-model might gives access to the public Java API of some objects that you have put into the data-model. By default, for objects that aren't instances of a the bunch of specially - handler types (String, + handled types (String, Number, Boolean, Date, Map, List, array, and a few others), their - public Java API will be exposed. To avoid that, you have to - construct the data-model so that it only exposes the things - that are really necessary for the template. For that, you may - want to use SimpleObjectWrapper (via - Configuration.setObjectWrapper or the + public Java API will be exposed, including most methods + inherited from standard Java classes + (getClass(), etc.). To avoid that, you have + to construct the data-model so that it only exposes the + members that are really necessary for the template. One + possibility is using SimpleObjectWrapper + (via Configuration.setObjectWrapper or the object_wrapper setting) and then create the data-model purely from Map-s, List-s, Array-s, String-s, Number-s, Boolean-s and Date-s. - Or, you can implement your own extremely restrictive - ObjectWrapper, which for example could - expose your POJO-s safely.

    + For many application though that's too restrictive, and + instead you need to implement your own extremely restrictive + ObjectWrapper, which, for example, only + exposes those members of POJO-s that were explicitly marked to + be safe (opt-in approach).

    + +

    Also, don't forget about the ?api + built-in, if you have enabled it (it's disabled by + default). While the Java API of Map-s, + List-s and similar container-like objects + is not directly exposed by most + ObjectWrapper-s, so + someMap.someJavaMethod() won't work, using + ?api the template author can still get to + the Java API-s of these objects, like + someMap?api.someJavaMethod(). But note that + the ObjectWrapper is still in control, as + it decides what objects support ?api, and + what will ?api expose for them (it usually + exposes the same as for a generic POJO).

    + +

    Last not least, some maybe aware of that the standard + object wrappers filters out some well known + "unsafe" methods, like + System.exit. Do not ever rely on this as + your only line of defense, since it only blocks the methods + that's in a predefined list. Thus, for example, if a new Java + version adds a new problematic method, it won't be filtered + out.

  • @@ -1695,6 +1714,15 @@ TemplateModel x = env.getVariable("x"); // get variable x them), such as TemplateClassResolver.ALLOWS_NOTHING_RESOLVER.

    • + +
  • +

    Denial-of-Service (DoS) attacks: It's trivial to create + templates that run practically forever (with a loop), or + exhaust memory (by concatenating to a string in a loop). + FreeMarker can't enforce CPU or memory usage limits, so this + is something that has no solution on the + FreeMarker-level.

    +
@@ -1841,9 +1869,9 @@ TemplateModel x = env.getVariable("x"); // get variable x

Overview