freemarker-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [freemarker] galusben edited a comment on issue #62: add unsafe method java.security.ProtectionDomain.getClassLoader
Date Fri, 10 Jan 2020 08:22:10 GMT
galusben edited a comment on issue #62: add unsafe method java.security.ProtectionDomain.getClassLoader
URL: https://github.com/apache/freemarker/pull/62#issuecomment-572925085
 
 
   I know it is not simple to address, but it adds a quick fix to something many are exposed
to. I agree that the trust level of template authors shall be as the level of source code
writers, but from the file src/main/resources/freemarker/ext/beans/unsafeMethods.properties
it seems that there are some blacklisted methods.
   
   I understand that this list is not serious protection, but it will help some people that
have made the mistake of trusting someone they shouldn't with a template.
   
   Since this blog is out there, I would strongly recommend to add this method to the blacklist.
There is zero cost in doing that, and the benefit can be saving someone's ass (even tough
this someone did not know what they were doing). 
   
   @ddekany 
   
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message