[jira] [Closed] (VELOCITY-946) Questions about the existing velocity safety mechanism

Thu, 29 Jul 2021 01:07:20 -0700 


     [ 
https://issues.apache.org/jira/browse/VELOCITY-946?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Osipov closed VELOCITY-946.
-----------------------------------
    Resolution: Invalid

Questions aren't bugs. We have a mailing list for that.

> Questions about the existing velocity safety mechanism
> ------------------------------------------------------
>
>                 Key: VELOCITY-946
>                 URL: https://issues.apache.org/jira/browse/VELOCITY-946
>             Project: Velocity
>          Issue Type: Bug
>            Reporter: n4nch341
>            Priority: Major
>
> hello sir:
> I noticed that velocity-core fixes CVE-2020-13936 
> https://github.com/apache/velocity-engine/pull/16/files, but follow content
>  
> "introspector.restrict.classes = 
> org.apache.catalina.core.DefaultInstanceManager
> introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager
> introspector.restrict.classes = 
> org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager
> introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory"
>  
> be added in the 
> velocity-engine-core/src/test/resources/oldproperties/velocity.properties 
> file. I think this is a test file and wouldn't take effect at runtime.
>  
> As for the valid org\apache\velocity\runtime\defaults\velocity.properties 
> file Has not been added to these blacklists, so in the velocity-tools-view 
> framework 
> $\{req.getServletContext().getAttribute('org.apache.tomcat.InstanceManager').newInstance('javax.script.ScriptEngineManager').getEngineByName
>  ('js').eval(xx) This payload is still valid, and the Velocity-tools-view 
> does not enable SecureUberspector by default.
> so I don’t know that writing this blacklist under the test file means that 
> the application that calls velocity-core needs its own to add blacklists or 
> is it because velocity-core forgot to add these blacklists to 
> org\apache\velocity\runtime\defaults\velocity.properties, can this be 
> considered a vulnerability?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to