From notifications-return-6227-archive-asf-public=cust-asf.ponee.io@freemarker.apache.org Fri Jan 10 08:21:58 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id CC700180657 for ; Fri, 10 Jan 2020 09:21:57 +0100 (CET) Received: (qmail 19457 invoked by uid 500); 10 Jan 2020 08:21:55 -0000 Mailing-List: contact notifications-help@freemarker.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@freemarker.apache.org Delivered-To: mailing list notifications@freemarker.apache.org Received: (qmail 19398 invoked by uid 99); 10 Jan 2020 08:21:55 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Jan 2020 08:21:55 +0000 From: GitBox To: notifications@freemarker.apache.org Subject: [GitHub] [freemarker] galusben commented on issue #62: add unsafe method java.security.ProtectionDomain.getClassLoader Message-ID: <157864451533.6408.7484489773527103737.gitbox@gitbox.apache.org> References: In-Reply-To: Date: Fri, 10 Jan 2020 08:21:55 -0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit galusben commented on issue #62: add unsafe method java.security.ProtectionDomain.getClassLoader URL: https://github.com/apache/freemarker/pull/62#issuecomment-572925085 I know it is not simple to address, but it adds a quick fix to something many are exposed to. I agree that the trust level of template authors shall be as the level of source code writers, but from the file src/main/resources/freemarker/ext/beans/unsafeMethods.properties it seems that there are some blacklisted methods. I understand that this list is not serious protection, but it will help some people that have made the mistake of trusting someone they shouldn't with a template. Since this blog is out there, I would strongly recommend to add this method to the blacklist. There is zero cost in doing that, and the benefit can be saving someone's ass (even tough this someone did not know what they were doing). ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org With regards, Apache Git Services