Slightly improved DefaultMemberAccessPolicy-rules (used by default), and unsafeMethods.properties (long deprecated, not used by default).
diff --git a/src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules b/src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules
index 48001c2..88b3c48 100644
--- a/src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules
+++ b/src/main/resources/freemarker/ext/beans/DefaultMemberAccessPolicy-rules
@@ -276,7 +276,7 @@
java.lang.Package.getDeclaredAnnotation(java.lang.Class)
java.lang.Package.getDeclaredAnnotationsByType(java.lang.Class)
java.lang.Package.getDeclaredAnnotations()
-java.lang.Package.getPackages()
+# Disallowed since 2.3.32: java.lang.Package.getPackages()
java.lang.Package.isSealed()
java.lang.Package.isSealed(java.net.URL)
java.lang.Package.getSpecificationTitle()
diff --git a/src/main/resources/freemarker/ext/beans/unsafeMethods.properties b/src/main/resources/freemarker/ext/beans/unsafeMethods.properties
index a8025af..15fbd95 100644
--- a/src/main/resources/freemarker/ext/beans/unsafeMethods.properties
+++ b/src/main/resources/freemarker/ext/beans/unsafeMethods.properties
@@ -19,7 +19,7 @@
# It does NOT provide enough safety if template authors aren't as trusted as the developers; you need to use a custom
# whitelist then (see WhitelistMemberAccessPolicy).
-# This is a blacklist, that is, methods mentioned here will be not be accessible, but everything else will be.
+# This is a blacklist, that is, methods mentioned here will not be accessible, but everything else will be.
# Furthermore, overridden version of the blacklisted methods will be accessible (which is strange, but we kept backward
# compatibility).
@@ -77,7 +77,6 @@
java.lang.ThreadGroup.setDaemon(boolean)
java.lang.ThreadGroup.setMaxPriority(int)
java.lang.ThreadGroup.stop()
-java.lang.Thread.suspend()
java.lang.Runtime.addShutdownHook(java.lang.Thread)
java.lang.Runtime.exec(java.lang.String)
@@ -104,3 +103,5 @@
java.lang.System.setProperties(java.util.Properties)
java.lang.System.setProperty(java.lang.String,java.lang.String)
java.lang.System.setSecurityManager(java.lang.SecurityManager)
+
+java.security.ProtectionDomain.getClassLoader()
diff --git a/src/manual/en_US/book.xml b/src/manual/en_US/book.xml
index baef474..e58f546 100644
--- a/src/manual/en_US/book.xml
+++ b/src/manual/en_US/book.xml
@@ -30302,6 +30302,17 @@
xlink:href="https://github.com/apache/freemarker/pull/82">GitHub
PR 82</link>)</para>
</listitem>
+
+ <listitem>
+ <para>Slightly improved
+ <literal>DefaultMemberAccessPolicy-rules</literal> (used by
+ default), and <literal>unsafeMethods.properties</literal> (long
+ deprecated, not used by default). Note that no matter how much
+ we tweak these, they will never provide proper security if you
+ have untrusted templates! See <link
+ linkend="faq_template_uploading_security">this in the
+ FAQ</link>!</para>
+ </listitem>
</itemizedlist>
</section>
</section>