n4nch341 created VELOCITY-946:
---------------------------------
Summary: Questions about the existing velocity safety mechanism
Key: VELOCITY-946
URL: https://issues.apache.org/jira/browse/VELOCITY-946
Project: Velocity
Issue Type: Bug
Reporter: n4nch341
hello sir:
I noticed that velocity-core fixes CVE-2020-13936
https://github.com/apache/velocity-engine/pull/16/files, but follow content
"introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager
introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager
introspector.restrict.classes =
org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager
introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory"
be added in the
velocity-engine-core/src/test/resources/oldproperties/velocity.properties file.
I think this is a test file and wouldn't take effect at runtime.
As for the valid org\apache\velocity\runtime\defaults\velocity.properties file
Has not been added to these blacklists, so in the velocity-tools-view framework
$\{req.getServletContext().getAttribute('org.apache.tomcat.InstanceManager').newInstance('javax.script.ScriptEngineManager').getEngineByName
('js').eval(xx) This payload is still valid, and the Velocity-tools-view does
not enable SecureUberspector by default.
so I don’t know that writing this blacklist under the test file means that the
application that calls velocity-core needs its own to add blacklists or is it
because velocity-core forgot to add these blacklists to
org\apache\velocity\runtime\defaults\velocity.properties, can this be
considered a vulnerability?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
