add unsafe method java.security.ProtectionDomain.getClassLoader #62
Conversation
…allows getting the classloader
|
I close this, as it's not this simple to address this problem. Anyone interested in the status of this, see this: https://issues.apache.org/jira/browse/FREEMARKER-124 |
|
I know it is not simple to address, but it adds a quick fix to something many are exposed to. I agree that the trust level of template authors shall be as the level of source code writers, but from the file src/main/resources/freemarker/ext/beans/unsafeMethods.properties it seems that there are some blacklisted methods. I understand that this list is not serious protection, but it will help some people that have made the mistake of trusting someone they shouldn't with a template. Since this blog is out there, I would strongly recommend to add this method to the blacklist. There is zero cost in doing that, and the benefit can be saving someone's ass (even tough this someone did not know what they were doing). |
|
The recipe in that blog entry won't work anymore with the next release (2.3.30). But it's addressed differently (and some other methods will become banned as well). |
|
Cool. Thanks! |
See
https://ackcent.com/blog/in-depth-freemarker-template-injection/