Java Mailing List Archive

Home » FreeMarker-user »

[FreeMarker-user] FreeMarker 2.3.19 is out. Please read security

Daniel Dekany


Replies: Find Java Web Hosting

Author LoginPost Reply
FreeMarker 2.3.19 is out!


GAE-compatible binary:


Don't miss the security related changes, they may affect your

Changes on the FTL side:

* Attention: The output of ISO 8601 date/time formatting built-ins,
introduced in 2.3.17, was slightly changed. From now on, the time
zone offset, when it's displayed and it isn't Z, always includes the
minutes. For example, 15:30:15+02 becomes to 15:30:15+02:00 in the
template output. Both formats are valid according to ISO 8601 (so
anything that expects ISO 8601 date/times should continue working),
but only the last format complies with the XML Schema date/time
formats, hence this change.

* New built-in for escaping inside JSON string literals: json_string.

* Bugfix: Wrong # tags were printed as static text instead of causing
parsing error if there was no correct # tag earlier in the same
template. Since fixing this would not be 100% backward compatible,
the old behavior has remained, unless you set the
incompatible_enhancements setting
(Configuration.setIncompatibleEnhancements(String)) to "2.3.19" or

Changes on the Java side:

* Attention: This release contains two important security workarounds
that unavoidably make it obvious how some applications can be
exploited. FreeMarker can't solve these issues on all
configurations, so please read the details instead of just updating
FreeMarker! Also, these changes are not 100% backward compatible in
theory, however it's not probable that they will break anything. The
two changes are:

- The character with character code 0 (\u0000) is not allowed in
  template paths anymore. When a path contains it, FreeMarker
  behaves as if the template was not found.

  This is to fix the security problem where a template path like
  "secret.txt\u0000.ftl" is used to bypass extension filtering in an
  application. FreeMarker itself doesn't care about the extension,
  but some applications decide based on the extension if they will
  delegate a path to FreeMarker. When they do with such a path, the
  C/C++ implementation behind the storage mechanism may sees the
  path as "secret.txt" as the 0 terminates the string in C/C++, and
  thus load a non-FTL file as a template, returning the file
  contents to the attacker.

  Note that some HTTP servers, notably Tomcat and Apache will block
  URL-s containing 0, but some others, like Jetty, doesn't.

- ClassTemplateLoader, when it's created with base path "/" (like
  with new ClassTemplateLoader(someClass, "/")), will not allow
  template paths that contain colon earlier than any /, and will act
  like if the template was not found in such case.

  This is to fix the security problem where a template path like
  "file:/etc/secret" or "" is
  interpreted as a full URL by a in the
  class-loader hierarchy. This is a quirk (or bug) of

  Beware, some frameworks use their own TemplateLoader
  implementations, and if those are vulnerable, they will remain so
  after updating FreeMarker too! Note that this exploit only works
  if the class-loader hierarchy contains an URLClassLoader and the
  class-loader is used to load templates without adding any prefix
  before the template path (other than "/").

These security issues mostly affect applications where the user (the
visitor) can supply arbitrary template paths. This is not the case
with properly built MVC applications, as there only the Controller
can be addressed directly, and it's the Controller who specifies the
template paths. But MVC applications based on JSP Model-2 often
expose the MVC Views as URL-s ending with .ftl, thus allowing the
user to give arbitrary paths to FreeMarker. Such applications should
be secured with a security-constratint in web.xml as shown here:
This should be done regardless of the current security fixes.

* Configuration has new methods: removeTemplateFromCache(...). This
will remove the given template for the given locale from the cache,
so it will be re-loaded regardless of the template update delay when
it's next time requested.

* BeansWrapper ignores setter methods from now when introspecting
classes. They weren't used anyway, so they unnecessarily caused
"java.beans.IntrospectionException: type mismatch between read and
write methods" errors.

* TemplateClassResolver.SAFER_RESOLVER now disallows creating
freemarker.template.utility.JythonRuntime and
freemarker.template.utility.Execute. This change affects the
behavior of the new built-in if FreeMarker was configured to use
SAFER_RESOLVER, which is not the default until 2.4 and is hence

* Bug fixed: Calling varargs methods now indeed works. (Earlier it
only worked for overloaded methods.)

* Bug fixed [1837697] [2831150] [3039096] [3165425]: Jython support
now works with Jython 2.2 and 2.5.

* Bug fixed [3325103]: TemplateException-s and ParseException-s are
now serializable.

Best regards,
Daniel Dekany

Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
FreeMarker-user mailing list
©2008 - Jax Systems, LLC, U.S.A.