Does that mean that you agree that we should leave them on the actual FreeMarker 2.3.x defaults (?api enabled, ?new set to "safer")?
On Mon, Oct 19, 2020 at 7:31 PM Siegfried Goeschl < siegfried.goes...@gmail.com> wrote: > Hi Daniel, > > yes, I disabled them since I assume that they will be the default settings > > Thanks in advance > > Siegfried Goeschl > > > On 11.10.2020, at 20:42, Daniel Dekany <daniel.dek...@gmail.com> wrote: > > > > I noticed that ?api and ?new are by default disabled in > > freemarker-generator. However, freemarker-generator is inherently unsafe, > > as it has tools.freemarker.objectConstructor, and > tools.freemarker.statics. > > For a command-line tool that's probably fine, but then above two > > configuration settings should be left on their convenient defaults as > well. > > > > In general, allowing someone to specify arbitrary command line arguments > > to freemarker-generator CLI means that they can do pretty much anything > (as > > they can provide an arbitrary template with the -i option, then access > the > > tools). Again, I think such risk is expected from a command line tool, > but > > it's better if we are conscious about this. > > > > -- > > Best regards, > > Daniel Dekany > > -- Best regards, Daniel Dekany
