[ https://issues.apache.org/jira/browse/VELOCITY-946?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Osipov closed VELOCITY-946. ----------------------------------- Resolution: Invalid Questions aren't bugs. We have a mailing list for that. > Questions about the existing velocity safety mechanism > ------------------------------------------------------ > > Key: VELOCITY-946 > URL: https://issues.apache.org/jira/browse/VELOCITY-946 > Project: Velocity > Issue Type: Bug > Reporter: n4nch341 > Priority: Major > > hello sir: > I noticed that velocity-core fixes CVE-2020-13936 > https://github.com/apache/velocity-engine/pull/16/files, but follow content > > "introspector.restrict.classes = > org.apache.catalina.core.DefaultInstanceManager > introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager > introspector.restrict.classes = > org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager > introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory" > > be added in the > velocity-engine-core/src/test/resources/oldproperties/velocity.properties > file. I think this is a test file and wouldn't take effect at runtime. > > As for the valid org\apache\velocity\runtime\defaults\velocity.properties > file Has not been added to these blacklists, so in the velocity-tools-view > framework > $\{req.getServletContext().getAttribute('org.apache.tomcat.InstanceManager').newInstance('javax.script.ScriptEngineManager').getEngineByName > ('js').eval(xx) This payload is still valid, and the Velocity-tools-view > does not enable SecureUberspector by default. > so I don’t know that writing this blacklist under the test file means that > the application that calls velocity-core needs its own to add blacklists or > is it because velocity-core forgot to add these blacklists to > org\apache\velocity\runtime\defaults\velocity.properties, can this be > considered a vulnerability? -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org