commit 3018a7bd97aab21cf108184bda62bced3077727c
author ddekany <ddekany@apache.org> Thu Jan 05 12:00:54 2023 +0100
committer ddekany <ddekany@apache.org> Thu Jan 05 12:03:04 2023 +0100
tree 247bede65c808e0b1614d61b99009fc51bf31282
parent 7aebdda3d9f7b1215b6f6f6afa366bb668e42285

Slightly improved DefaultMemberAccessPolicy-rules (used by default), and unsafeMethods.properties (long deprecated, not used by default).

src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules

diff --git a/src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules b/src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules
index 48001c2..88b3c48 100644
--- a/src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules
+++ b/src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules
@@ -276,7 +276,7 @@
 java.lang.Package.getDeclaredAnnotation(java.lang.Class)
 java.lang.Package.getDeclaredAnnotationsByType(java.lang.Class)
 java.lang.Package.getDeclaredAnnotations()
-java.lang.Package.getPackages()
+# Disallowed since 2.3.32: java.lang.Package.getPackages()
 java.lang.Package.isSealed()
 java.lang.Package.isSealed(java.net.URL)
 java.lang.Package.getSpecificationTitle()

src/main/resources/freemarker/ext/beans/unsafeMethods.properties

diff --git a/src/main/resources/freemarker/ext/beans/unsafeMethods.properties b/src/main/resources/freemarker/ext/beans/unsafeMethods.properties
index a8025af..15fbd95 100644
--- a/src/main/resources/freemarker/ext/beans/unsafeMethods.properties
+++ b/src/main/resources/freemarker/ext/beans/unsafeMethods.properties
@@ -19,7 +19,7 @@
 # It does NOT provide enough safety if template authors aren't as trusted as the developers; you need to use a custom
 # whitelist then (see WhitelistMemberAccessPolicy).
 
-# This is a blacklist, that is, methods mentioned here will be not be accessible, but everything else will be.
+# This is a blacklist, that is, methods mentioned here will not be accessible, but everything else will be.
 # Furthermore, overridden version of the blacklisted methods will be accessible (which is strange, but we kept backward
 # compatibility).
 
@@ -77,7 +77,6 @@
 java.lang.ThreadGroup.setDaemon(boolean)
 java.lang.ThreadGroup.setMaxPriority(int)
 java.lang.ThreadGroup.stop()
-java.lang.Thread.suspend()
 
 java.lang.Runtime.addShutdownHook(java.lang.Thread)
 java.lang.Runtime.exec(java.lang.String)
@@ -104,3 +103,5 @@
 java.lang.System.setProperties(java.util.Properties)
 java.lang.System.setProperty(java.lang.String,java.lang.String)
 java.lang.System.setSecurityManager(java.lang.SecurityManager)
+
+java.security.ProtectionDomain.getClassLoader()

src/manual/en_US/book.xml

diff --git a/src/manual/en_US/book.xml b/src/manual/en_US/book.xml
index baef474..e58f546 100644
--- a/src/manual/en_US/book.xml
+++ b/src/manual/en_US/book.xml
@@ -30302,6 +30302,17 @@
               xlink:href="https://github.com/apache/freemarker/pull/82">GitHub
               PR 82</link>)</para>
             </listitem>
+
+            <listitem>
+              <para>Slightly improved
+              <literal>DefaultMemberAccessPolicy-rules</literal> (used by
+              default), and <literal>unsafeMethods.properties</literal> (long
+              deprecated, not used by default). Note that no matter how much
+              we tweak these, they will never provide proper security if you
+              have untrusted templates! See <link
+              linkend="faq_template_uploading_security">this in the
+              FAQ</link>!</para>
+            </listitem>
           </itemizedlist>
         </section>
       </section>