commit | 343d24f27b1790701225711491e967bd3e2111c8 | [log] [tgz] |
---|---|---|
author | Serge Huber <shuber@jahia.com> | Thu Aug 20 15:07:40 2020 +0200 |
committer | GitHub <noreply@github.com> | Thu Aug 20 15:07:40 2020 +0200 |
tree | 247fc8508b233d8e556b8adf745299bd84f925be | |
parent | 7c8144a589df75487512b1c920ad3ba145ff9b18 [diff] |
Improve scripting security (#179) * Improve scripting security: - OGNL is now disabled by default as it wasn't really used much (possible to reactive through a system setting) - A new condition sanitizer has been added in the ContextServlet to filter out any MVEL scripts (again not used much and can be reactivate using a system property) - A new ExpressionFilter has been added that will use configurable (system property) regular expressions to filter out possible malicious expressions - OGNL sandboxing has been improved - MVEL default imports have been modified to prevent using system-level classes * Fix bug in sanitizing code * New scripting execution sub-system: - Allow-listing of allowed expressions - Plugins may deployed their own allow-lists using JSON files - OGNL scripting is now deactivated by default - Minimal list of built-in MVEL allowed patterns * Fix typo in marker
Apache Unomi stores user profile information and is mostly used to provide a backend server for A/B testing and personalization. To do so it implements the currently under development OASIS Context Server specification.
The source code is available under the Apache License V2
You can find all the updated documentation, including building and deployment instructions, on the Apache Unomi web site.