You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2022/04/04 07:21:00 UTC

[jira] (OFBIZ-12594) Prevent Freemarker interpolation in fields

    [ https://issues.apache.org/jira/browse/OFBIZ-12594 ]


    Jacques Le Roux deleted comment on OFBIZ-12594:
    -----------------------------------------

was (Author: jacques.le.roux):
Due to INFRA-22843 the trunk commit is in OFBIZ-12587, I don't copy it here :/

> Prevent Freemarker interpolation in fields
> ------------------------------------------
>
>                 Key: OFBIZ-12594
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12594
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS, ALL PLUGINS
>    Affects Versions: 18.12.06, 22.01.01
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>
> OFBIZ-12587 is a definitive solution to prevent any kind of Freemarker exploits. But it's hard to realise because OFBiz exposes objects, like attributes from the Servlet scopes. So in the meantime preventing Freemarker interpolation in fields is a pragmatic solution.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)