[jira] [Commented] (VELOCITY-982) Velocity 2.x - Velocity.properties - Additional introspector.restrict.classes

[Nathan Bubna (Jira)]

    [ 
https://issues.apache.org/jira/browse/VELOCITY-982?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17876343#comment-17876343
 ] 

Nathan Bubna commented on VELOCITY-982:
---------------------------------------

We would be happy to get a PR to update the secure introspector's entries. I've 
never trusted third-party templates myself (most users don't), but i know there 
are those who still rely on this and would appreciate the default list being 
updated, so they needn't add these themselves.

And no, Velocity is still an active project, not CVE patch mode only. It's not 
a very active project, granted. The contributors are fairly satisfied (read: 
not highly motivated to put substantial work into it), but we do still have 
ongoing (slow, sporadic) development.

> Velocity 2.x - Velocity.properties - Additional introspector.restrict.classes
> -----------------------------------------------------------------------------
>
>                 Key: VELOCITY-982
>                 URL: https://issues.apache.org/jira/browse/VELOCITY-982
>             Project: Velocity
>          Issue Type: Improvement
>          Components: Build
>    Affects Versions: 2.0, 2.1, 2.2, 2.3, 2.4.2
>            Reporter: John Tal
>            Priority: Major
>
> In Velocity.properties, the introspector.restrict.classes entries.
> I assume additions to this file in that section resolved for CVE-2020-13936 
> (templating can interact with the system)?  Please confirm what commits or 
> classes, settings did indeed resolve CVE-2020-13936.  We really need to know 
> because we are stuck on 1.7 and need to fork/patch.
> Along these lines of further security hardening, aren't there more entries 
> needed in the introspect.restrict.classes section such as:
> java.lang.ProcessBuilder
> java.lang.Reflect
> javax.management.MBeanServer
> java.net.Socket
> javax.script.ScriptEngine
>  
> Finally, please confirm whether Velocity is largely in CVE patch mode only 
> and is not really an active project given that there is much more talk today 
> about Apache FreeMarker.  Just trying to determine the level of support and 
> engagement from the Apache Velocity maintainers.  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org