Google Git
Sign in
apache / freemarker-site / refs/heads/asf-site / . / docs / versions_2_3_19.html
blob: 84db3c19f1cbdc719a94074a24279392715b8e9c [file] [log] [blame]
<!doctype html>
<!-- Generated by FreeMarker/Docgen from DocBook -->
<html lang="en" class="page-type-section">
<head prefix="og: http://ogp.me/ns#">
<meta charset="utf-8">
<title>2.3.19 - Apache FreeMarker Manual</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="format-detection" content="telephone=no">
<meta property="og:site_name" content="Apache FreeMarker Manual">
<meta property="og:title" content="2.3.19">
<meta property="og:locale" content="en_US">
<meta property="og:url" content="https://freemarker.apache.org/docs/versions_2_3_19.html">
<link rel="canonical" href="https://freemarker.apache.org/docs/versions_2_3_19.html">
<link rel="icon" href="favicon.png" type="image/png">
<link rel="stylesheet" type="text/css" href="https://fonts.googleapis.com/css?family=Roboto:500,700,400,300|Droid+Sans+Mono">
<link rel="stylesheet" type="text/css" href="docgen-resources/docgen.min.css?1707770044859">
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/cookie-bar/cookiebar-latest.min.js"></script>
</head>
<body itemscope itemtype="https://schema.org/Code">
<meta itemprop="url" content="https://freemarker.apache.org/docs/">
<meta itemprop="name" content="Apache FreeMarker Manual">
<!--[if lte IE 9]>
<div class="oldBrowserWarning" style="display: block">
Unsupported web browser - Use a modern browser to view this website!
</div>
<![endif]--> <div class="oldBrowserWarning">
Unsupported web browser - Use a modern browser to view this website!
</div>
<div class="header-top-bg"><div class="site-width header-top"><div id="hamburger-menu" role="button"></div> <div class="logo">
<a href="https://freemarker.apache.org" role="banner"><img itemprop="image" src="logo.png" alt="FreeMarker"></a> </div>
<ul class="tabs"><li><a href="https://freemarker.apache.org/">Home</a></li><li class="current"><a href="index.html">Manual</a></li><li><a class="external" href="api/index.html">Java API</a></li></ul><ul class="secondary-tabs"><li><a class="tab icon-heart" href="https://freemarker.apache.org/contribute.html" title="Contribute"><span>Contribute</span></a></li><li><a class="tab icon-bug" href="https://issues.apache.org/jira/projects/FREEMARKER" title="Report a Bug"><span>Report a Bug</span></a></li><li><a class="tab icon-download" href="https://freemarker.apache.org/freemarkerdownload.html" title="Download"><span>Download</span></a></li></ul></div></div><div class="header-bottom-bg"><div class="site-width search-row"><a href="index.html" class="navigation-header">Manual</a><div class="navigation-header"></div><form method="get" class="search-form" action="search-results.html"><fieldset><legend class="sr-only">Search form</legend><label for="search-field" class="sr-only">Search query</label><input id="search-field" name="q" type="search" class="search-input" placeholder="Search" spellcheck="false" autocorrect="off" autocomplete="off"><button type="submit" class="search-btn"><span class="sr-only">Search</span></button></fieldset></form></div><div class="site-width breadcrumb-row"> <div class="breadcrumbs">
<ul class="breadcrumb" itemscope itemtype="http://schema.org/BreadcrumbList"><li class="step-0" itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"><a class="label" itemprop="item" href="index.html"><span itemprop="name">Apache FreeMarker Manual</span></a></li><li class="step-1" itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"><a class="label" itemprop="item" href="app.html"><span itemprop="name">Appendixes</span></a></li><li class="step-2" itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"><a class="label" itemprop="item" href="app_versions.html"><span itemprop="name">Version history</span></a></li><li class="step-3" itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"><a class="label" itemprop="item" href="versions_2_3_19.html"><span itemprop="name">2.3.19</span></a></li></ul> </div>
<div class="bookmarks" title="Bookmarks"><span class="sr-only">Bookmarks:</span><ul><li><a href="alphaidx.html">Alpha. index</a></li><li><a href="gloss.html">Glossary</a></li><li><a href="dgui_template_exp.html#exp_cheatsheet">Expressions</a></li><li><a href="ref_builtins_alphaidx.html">?builtins</a></li><li><a href="ref_directive_alphaidx.html">#directives</a></li><li><a href="ref_specvar.html">.spec_vars</a></li><li><a href="app_faq.html">FAQ</a></li></ul></div></div></div> <div class="main-content site-width">
<div class="content-wrapper">
<div id="table-of-contents-wrapper" class="col-left">
<script>var breadcrumb = ["Apache FreeMarker Manual","Appendixes","Version history","2.3.19"];</script>
<script src="toc.js?1707770044859"></script>
<script src="docgen-resources/main.min.js?1707770044859"></script>
</div>
<div class="col-right"><div class="page-content"><div class="page-title"><div class="pagers top"><a class="paging-arrow previous" href="versions_2_3_20.html"><span>Previous</span></a><a class="paging-arrow next" href="versions_2_3_18.html"><span>Next</span></a></div><div class="title-wrapper">
<h1 class="content-header header-section1" id="versions_2_3_19" itemprop="headline">2.3.19</h1>
</div></div><div class="page-menu">
<div class="page-menu-title">Page Contents</div>
<ul><li><a class="page-menu-link" href="#autoid_185" data-menu-target="autoid_185">Changes on the FTL side</a></li><li><a class="page-menu-link" href="#autoid_186" data-menu-target="autoid_186">Changes on the Java side</a></li></ul> </div><p>Date of release: 2012-02-29</p><p>Don&#39;t miss the <a href="#v2319secfix">security related
changes</a>, they may affect your application!</p>
<h2 class="content-header header-section2" id="autoid_185">Changes on the FTL side</h2>
<ul>
<li>
<p><em>Attention</em>: The output of <a href="ref_builtins_date.html#ref_builtin_date_iso">ISO 8601 date/time formatting
built-ins</a>, introduced in 2.3.17, was slightly changed.
From now on, the time zone offset, when it&#39;s displayed and it
isn&#39;t <code class="inline-code">Z</code>, always includes the minutes. For
example, <code class="inline-code">15:30:15+02</code> becomes to
<code class="inline-code">15:30:15+02:00</code> in the template output. Both
formats are valid according to ISO 8601 (so anything that
expects ISO 8601 date/times should continue working), but only
the last format complies with the XML Schema date/time formats,
hence this change.</p>
</li>
<li>
<p>New built-in for escaping inside JSON string literals:
<a href="ref_builtins_string.html#ref_builtin_json_string"><code>json_string</code></a>.</p>
</li>
<li>
<p>Bugfix: Wrong <code class="inline-code">#</code> tags were printed as
static text instead of causing parsing error if there was no
correct <code class="inline-code">#</code> tag earlier in the same template.
Since fixing this would not be 100% backward compatible, the old
behavior has remained, unless you set the
<code class="inline-code">incompatible_enhancements</code> setting
(<code class="inline-code">Configuration.setIncompatibleEnhancements(String)</code>)
to <code class="inline-code">&quot;2.3.19&quot;</code> or higher.</p>
</li>
</ul>
<h2 class="content-header header-section2" id="autoid_186">Changes on the Java side</h2>
<ul>
<li>
<p><a name="v2319secfix"></a><em>Attention</em>: This
release contains two important security workarounds that
unavoidably make it obvious how some applications can be
exploited. <em>FreeMarker can&#39;t solve these issues on all
configurations, so please read the details instead of just
updating FreeMarker!</em> Also, these changes are not 100%
backward compatible in theory, however it&#39;s not probable that
they will break anything. The two changes are:</p>
<ul>
<li>
<p>The character with character code 0
(<code class="inline-code">\u0000</code>) is not allowed in template paths
anymore. When a path contains it, FreeMarker behaves as if
the template was not found.</p>
<p>This is to fix the security problem where a template
path like <code class="inline-code">&quot;secret.txt\u0000.ftl&quot;</code> is used
to bypass extension filtering in an application. FreeMarker
itself doesn&#39;t care about the extension, but some
applications decide based on the extension if they will
delegate a path to FreeMarker. When they do with such a
path, the C/C++ implementation behind the storage mechanism
may sees the path as <code class="inline-code">&quot;secret.txt&quot;</code> as the
0 terminates the string in C/C++, and thus load a non-FTL
file as a template, returning the file contents to the
attacker.</p>
<p>Note that some HTTP servers, notably Tomcat and the
Apache HTTP Server blocks URL-s where the URL contains 0
(<code class="inline-code">%00</code>) outside the query string, thus this
wasn&#39;t exploitable there through such Web URL-s. Some other
HTTP servers however, like Jetty, doesn&#39;t block such
URL-s.</p>
</li>
<li>
<p><code class="inline-code">ClassTemplateLoader</code>, when it&#39;s
created with base path <code class="inline-code">&quot;/&quot;</code> (like with
<code class="inline-code">new ClassTemplateLoader(someClass, &quot;/&quot;)</code>),
will not allow template paths that contain colon earlier
than any <code class="inline-code">/</code>, and will act like if the
template was not found in such case.</p>
<p>This is to fix the security problem where a template
path like <code class="inline-code">&quot;file:/etc/secret&quot;</code> or
<code class="inline-code">&quot;http://example.com/malware.ftl&quot;</code> is
interpreted as a full URL by a
<code class="inline-code">java.net.URLClassLoader</code> in the
class-loader hierarchy, and thus allow loading files from
these URL-s as templates. This is a quirk (or bug) of
<code class="inline-code">java.net.URLClassLoader</code>, thus this
problem only exists on systems that use such
class-loaders.</p>
<p>Beware, some frameworks use their own
<code class="inline-code">TemplateLoader</code> implementations, and if
those are vulnerable, they will remain so after updating
FreeMarker too! Note that this exploit only works if the
class-loader hierarchy contains an
<code class="inline-code">URLClassLoader</code> and the class-loader is
used to load templates without adding any prefix before the
template path (other than <code class="inline-code">&quot;/&quot;</code>).</p>
</li>
</ul>
<p>These security issues mostly only affect applications
<em>where the user (the visitor) can supply arbitrary
template paths to the application</em>. This is not the
case with properly built MVC applications, as there only the MVC
Controller can be addressed directly, and it&#39;s the Controller
that specifies the template paths. But legacy MVC applications
based on <a href="pgui_misc_servlet.html#pgui_misc_servlet_model2">JSP
Model-2</a> often expose the MVC Views as public URL-s ending
with <code class="inline-code">.ftl</code>, thus allowing the user to give
arbitrary paths to FreeMarker. Such applications should be
secured with a <code class="inline-code">security-constratint</code> in
<code class="inline-code">web.xml</code> as shown in the <a href="pgui_misc_servlet.html#pgui_misc_servlet_model2">related Manual
section</a>. This should be done regardless of the current
security fixes.</p>
<p>In general, you should not allow users to specify
arbitrary template paths, or if you do allow that, you should be
extra careful with the <code class="inline-code">TemplateLoader</code>
used.</p>
</li>
<li>
<p><code class="inline-code">Configuration</code> has new methods:
<code class="inline-code">removeTemplateFromCache(...)</code>. This will
remove the given template for the given locale from the cache,
so it will be re-loaded regardless of the template update delay
when it&#39;s next time requested.</p>
</li>
<li>
<p><code class="inline-code">BeansWrapper</code> ignores setter methods
from now when introspecting classes. They weren&#39;t used anyway,
so they unnecessarily caused
&quot;<code class="inline-code">java.beans.IntrospectionException</code>: type
mismatch between read and write methods&quot; errors.</p>
</li>
<li>
<p><code class="inline-code">TemplateClassResolver.SAFER_RESOLVER</code>
now disallows creating
<code class="inline-code">freemarker.template.utility.JythonRuntime</code> and
<code class="inline-code">freemarker.template.utility.Execute</code>. This
change affects the behavior of the <a href="ref_builtins_expert.html#ref_builtin_new"><code>new</code> built-in</a>
if FreeMarker was configured to use
<code class="inline-code">SAFER_RESOLVER</code>, which is not the default
until 2.4 and is hence improbable.</p>
</li>
<li>
<p>Bug fixed: Calling varargs methods now indeed works.
(Earlier it only worked for overloaded methods.)</p>
</li>
<li>
<p>Bug fixed <a href="https://sourceforge.net/tracker/index.php?func=detail&amp;aid=1837697&amp;group_id=794&amp;atid=100794">[1837697]</a>
<a href="https://sourceforge.net/tracker/index.php?func=detail&amp;aid=2831150&amp;group_id=794&amp;atid=100794">[2831150]</a>
<a href="https://sourceforge.net/tracker/index.php?func=detail&amp;aid=3039096&amp;group_id=794&amp;atid=100794">[3039096]</a>
<a href="https://sourceforge.net/tracker/index.php?func=detail&amp;aid=3165425&amp;group_id=794&amp;atid=100794">[3165425]</a>:
Jython support now works with Jython 2.2 and 2.5.</p>
</li>
<li>
<p>Bug fixed <a href="https://sourceforge.net/tracker/index.php?func=detail&amp;aid=3325103&amp;group_id=794&amp;atid=100794">[3325103]</a>:
<code class="inline-code">TemplateException</code>-s and
<code class="inline-code">ParseException</code>-s are now serializable.</p>
</li>
</ul>
<div class="bottom-pagers-wrapper"><div class="pagers bottom"><a class="paging-arrow previous" href="versions_2_3_20.html"><span>Previous</span></a><a class="paging-arrow next" href="versions_2_3_18.html"><span>Next</span></a></div></div></div></div> </div>
</div>
<div class="site-footer"><div class="site-width"><div class="footer-top"><div class="col-left sitemap"><div class="column"><h3 class="column-header">Overview</h3><ul><li><a href="https://freemarker.apache.org/">What is FreeMarker?</a></li><li><a href="https://freemarker.apache.org/freemarkerdownload.html">Download</a></li><li><a href="app_versions.html">Version history</a></li><li><a href="app_faq.html">FAQ</a></li><li><a itemprop="license" href="app_license.html">License</a></li><li><a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy policy</a></li></ul></div><div class="column"><h3 class="column-header">Often used / Reference</h3><ul><li><a href="https://try.freemarker.apache.org/">Try template online</a></li><li><a href="dgui_template_exp.html#exp_cheatsheet">Expressions cheatsheet</a></li><li><a href="ref_directive_alphaidx.html">#directives</a></li><li><a href="ref_builtins_alphaidx.html">?built_ins</a></li><li><a href="ref_specvar.html">.special_vars</a></li><li><a href="api/freemarker/core/Configurable.html#setSetting-java.lang.String-java.lang.String-">Configuration settings</a></li></ul></div><div class="column"><h3 class="column-header">Community</h3><ul><li><a href="https://github.com/apache/freemarker">Github project page</a></li><li><a href="https://issues.apache.org/jira/projects/FREEMARKER">Report a bug</a></li><li><a href="https://freemarker.apache.org/report-security-vulnerabilities.html">Report security vulnerability</a></li><li><a href="https://stackoverflow.com/questions/ask?tags=freemarker">Get help on StackOverflow</a></li><li><a href="https://twitter.com/freemarker">Announcements on Twitter</a></li><li><a href="https://freemarker.apache.org/mailing-lists.html">Discuss on mailing lists</a></li></ul></div></div><div class="col-right"><ul class="social-icons"><li><a class="github" href="https://github.com/apache/freemarker">Github</a></li><li><a class="twitter" href="https://twitter.com/freemarker">Twitter</a></li><li><a class="stack-overflow" href="https://stackoverflow.com/questions/ask?tags=freemarker">Stack Overflow</a></li></ul><a class="xxe" href="http://www.xmlmind.com/xmleditor/" rel="nofollow" title="Edited with XMLMind XML Editor"><span>Edited with XMLMind XML Editor</span></a></div></div><div class="footer-bottom"> <p class="last-generated">
Last generated:
<time itemprop="dateModified" datetime="2024-02-12T20:34:04Z" title="Monday, February 12, 2024 at 8:34:04 PM Greenwich Mean Time">2024-02-12 20:34:04 GMT</time>, for Freemarker 2.3.32 </p>
<p class="copyright">
© <span itemprop="copyrightYear">1999</span>–2024
<a itemtype="http://schema.org/Organization" itemprop="copyrightHolder" href="https://apache.org/">The Apache Software Foundation</a>. Apache FreeMarker, FreeMarker, Apache Incubator, Apache, the Apache FreeMarker logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners. </p>
</div></div></div></body>
</html>