You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@freemarker.apache.org by Taher Alkhateeb <ta...@pythys.com.INVALID> on 2020/05/17 08:13:07 UTC

Re: Use TemplateClassResolver.SAFER_RESOLVER by default

I think it will break almost everything because most of our FTL is executing code anyways. You can try it yourself to see if it works.


On Sunday, May 17, 2020 09:41 +03, Jacques Le Roux <ja...@les7arts.com> wrote:
 Hi,

After reading https://ackcent.com/blog/in-depth-freemarker-template-injection/ I wonder why we have not TemplateClassResolver.SAFER_RESOLVER[1] used
by default, like there is:

    The api_builtin_enabled configuration setting must be set to true. Its default is false (at least as of 2.3.22) for not lowering the security of
existing applications.[2]

Is there a reason?

Thanks

Jacques

[1] https://freemarker.apache.org/docs/api/freemarker/core/TemplateClassResolver.html#SAFER_RESOLVER
[2] https://freemarker.apache.org/docs/ref_builtins_expert.html#ref_buitin_api_and_has_api