Apache Freemarker

Apache Freemarker

Source changes - FishEye

Shows the 20 most recent commits for Apache Freemarker.

Michael Blow <mblow@apache.org> committed 1355c269f50e84087ed24cb0ec9f091d2ce19a5a (59 files)
Reviews: none

ASTERIXDB-1720 - Generate License / Notice Files
- Includes Maven plugin to analyze dependencies & assemble LICENSE &
  NOTICE files using Apache FreeMarker templates, formatting to desired
  LICENSE & NOTICE output format.
- LICENSE & NOTICE files for the 'asterix-server', 'asterix-installer',
  and 'asterix-yarn' binary assemblies are generated by the build
- Automated LICENSE & NOTICE file generation for source release is not
  addressed by this patch
- Fixes ASTERIXDB-1311: Add Rome Apache 2.0 License in the LICENSE/NOTICE

Change-Id: I0963a85cb2be47dbf6bfd8c7f6fec767ef32e7e2
Reviewed-on: https://asterix-gerrit.ics.uci.edu/1402
Sonar-Qube: Jenkins <jenkins@fulliautomatix.ics.uci.edu>
Reviewed-by: Till Westmann <tillw@apache.org>
Tested-by: Jenkins <jenkins@fulliautomatix.ics.uci.edu>

asterixdb release-0.8.9
Jacopo Cappellato committed 1771927 (2 files)
Reviews: none

[Implemented]: Upgraded Freemarker to the latest release 2.3.25.

This upgrade fixes the SuppressFBWarnings warnings occuring at compilation time.

Jacopo Cappellato committed 1762227 (15 files)
Reviews: none

Improved: cleanups and enhancements in the FreeMarkerWorker class, and client
code using it, that wraps most of the OFBiz integration with FreeMarker.

This is the list of the main modifications:
* simplified and cleaned up the public methods of FreeMarkerWorker, used to
retrieve and render Freemarker templates and changed client code accordingly to
use them
* removed unused methods in FreeMarkerWorker and made some others private
* improved the integration code in FreeMarkerWorker to better use the Freemarker
API and specifically to leverage the various TemplateLoaders and the Freemarker
caching mechanism; it is now possible to switch the OFBiz legacy template
caching mechanism to use the Freemarker one instead
* improved the implementation of Freemarker template rendering from strings
(used by DataResourceWorker): it now leverages the Freemarker's
StringTemplateLoader that provides the ability to cache the strings, retrieved
from DataResources records, based on the timestamp of the last modification
* moved freemarkerImports.properties from "widget" to "base" component, and
changed its content (and the content of the associated templates
AutoImportTemplate.ftl and HtmlTemplate.ftl) to remove the dependency from base
to widget&common; some resources of "widget" and "common" are still referenced
from AutoImportTemplate.ftl (that is in "base") but even if they are soft
dependencies: if they are missing the system will load properly without any
error or warning; before this change it was impossible to use, or unit test,
FreeMarkerWorker before the "widget" and "common" components were loaded by the
system, now it is possible
* created a new class for unit tests for FreeMarkerWorker, named
FreeMarkerWorkerTests: at the moment it contains just one simple unit test but
more should be implemented
* refactored WebToolsServices.entityImport(...) to leverage the
FreeMarkerWorker.renderTemplate(...) method to run the Freemarker template,
rather than dealing with the Freemarker API directly; this is now possible
thanks to the cleanups and improvements done in the FreeMarkerWorker class; this
same approach should be implemented for a few other similar integration points
(mostly in the "content" component); this is a TODO item
* moved the encodeDoubleQuotes(...) method from FreeMarkerWorker to
MacroFormRenderer and made it private since this is the only calss using it and
its logic is not related to FreeMarker

Jan le Roux committed 1761987 (1 file)
Reviews: none

Oops this should not have been removed at r1761986

[CVE-2016-4462] OFBiz template remote code vulnerability
By manipulating the URL parameter externalLoginKey, a malicious, logged in
user could pass valid Freemarker directives to the Template Engine that are
reflected on the webpage; a specially crafted Freemarker template could be
used for remote code execution.

Jan le Roux committed 1761986 (6 files)
Reviews: none

"Applied fix from trunk for revision: 1761978" (conflict handled by hand)
------------------------------------------------------------------------
r1761978 | jleroux | 2016-09-22 18:52:56 +0200 (jeu. 22 sept. 2016) | 15 lignes

Fixes: Sorting of lists generates undesired results
(OFBIZ-8302)

This was due to r1759555 has Scott spotted on. r1759555 fixed a vulnerability
but as explained in r1759555 commit message we used
>2 redundant mechanisms (better safe than sorry):
>1) linkUrl = URLEncoder.encode(linkUrl, "UTF-8");
>2) sr.append("\" linkUrl=r\"");

Removing the 1st way fixes the reported issue and we are still safe.

I'll have a look at how the catalog/control/FindProduct URL is generated to be
sure it's OK as is

Thanks: Pierre for report, Scott for spotting the issue.
------------------------------------------------------------------------

[CVE-2016-4462] OFBiz template remote code vulnerability
By manipulating the URL parameter externalLoginKey, a malicious, logged in
user could pass valid Freemarker directives to the Template Engine that are
reflected on the webpage; a specially crafted Freemarker template could be
used for remote code execution.

Jan le Roux committed 1761978 (1 file)
Reviews: none

Fixes: Sorting of lists generates undesired results
(OFBIZ-8302)

This was due to r1759555 has Scott spotted on. r1759555 fixed a vulnerability
but as explained in r1759555 commit message we used
>2 redundant mechanisms (better safe than sorry):
>1) linkUrl = URLEncoder.encode(linkUrl, "UTF-8");
>2) sr.append("\" linkUrl=r\"");

Removing the 1st way fixes the reported issue and we are still safe.

I'll have a look at how the catalog/control/FindProduct URL is generated to be
sure it's OK as is

Thanks: Pierre for report, Scott for spotting the issue.

[CVE-2016-4462] OFBiz template remote code vulnerability
By manipulating the URL parameter externalLoginKey, a malicious, logged in
user could pass valid Freemarker directives to the Template Engine that are
reflected on the webpage; a specially crafted Freemarker template could be
used for remote code execution.

Michael Brohl committed 1761591 (1 file)
Reviews: none

Improved: Remove the creation of the temporary git/svn footer files.

The files were created because of a bug in the TemplateLoader for Freemarker, see OFBIZ-8292. This is fixed so this is not needed anymore.

Thanks: Jacopo for the TemplateLoader fix.

Jacopo Cappellato committed 1761586 (2 files)
Reviews: none

Fix for: Freemarker's ignore_missing attribute of the #include directive was not
working because of an issue in the OFBiz custom TemplateLoader for Freemarker
templates.
(OFBIZ-8292)

The OFBiz custom TemplateLoader now returns null if the resource is missing as
required by the TemplateLoader specification.
Additional cleanups for unused methods in the FreeMarkerWorker class and some
minor fine tuning; improved the way errors are rendered: now the full stack
trace is not shown in the screen but only in the logs.

Thanks: Jacques Le Roux for the report.

Jan le Roux committed 1761392 (5 files)
Reviews: none

Improves: Use ignore_missing option of the <#include Freemarker directive when fixed
(OFBIZ-8292)

This is a no functional change except for the flatgrey and blueligth themes where svn and git info are added

Working on OFBIZ-8250 and after Deepak at OFBIZ-7942 (too bad I missed that :/) I found that the ignore_missing option of the <#include Freemarker directive does not work. I reported to the Freemarker incubating project.
Hopefully this will be fixed. It will then remove the need of creating empty files for the svn and git info footers when building.

In the meantime this provides the change in the themes footers.
I have also added the svn and git info to the flatgrey footer. The result is barely legible there but is also used (include) by the bluelight theme where it's OK
I have also formatted the related div where it was barely legible (too large)

Jinfeng Ni <jni@apache.org> committed 2081d76c9cfa33a796dba8a2676747edeccd9dfe (68 files)
Reviews: none

DRILL-4967: Adding template_name to source code generated using freemarker template.
close apache/drill#629

drill 1.9.0
Jan le Roux committed 1759558 (3 files)
Reviews: none

Fixes a vulnerability in the form widget sort-order element.

By manipulating the UL parameter externalLoginKey it is possible to pass valid Freemarker directives to the Template Engine that are reflected on webpages.
With Freemarker it is possible to create and use Java classes that implement the TemplateModel, including the freemarker.template.utility.Execute class.
An attacker can pass arbitrary commands via this class, which are executed on the server.

This fixes it using 2 redundant mechanisms (better safe than sorry):
1) UTF-8 encodes the linkUrl, by encoding the dangerous characters this prevents the attack (thanks to Gregory)
2) Prepends the linkUrl String with r, which is a Freemarker way to prevent its own interpretation (thanks to Scott)

It's not bad to have the redundant mechanisms, and either both or one of them can be used in other places if necessary.
So far only the form widget sort-order element is concerned.

Jan le Roux committed 1759555 (1 file)
Reviews: none

Fixes a vulnerability in the form widget sort-order element
By manipulating the UL parameter externalLoginKey it is possible to pass valid Freemarker directives to the Template Engine that are reflected on the webpage
With Freemarker it is possible to create and use Java classes that implement the TemplateModel, including the freemarker.template.utility.Execute class
An attacker can pass arbitary commands via this class, which are executed on the server.

This fixes it using 2 redundant mechanisms (better safe than sorry):
1) linkUrl = URLEncoder.encode(linkUrl, "UTF-8");
2) sr.append("\" linkUrl=r\"");

Oliver Lietz committed 1754372 (1 file)
Reviews: none

SLING-5692 Add Integration Tests for Scripting FreeMarker

adjust to updates in Testing PaxExam

Oliver Lietz committed 1753893 (1 file)
Reviews: none

SLING-5692 Add Integration Tests for Scripting FreeMarker

simplify (use test support and default Launchpad Oak Tar configuration)

Oliver Lietz committed 1751792 (21 files)
Reviews: none

SLING-5692 Add Integration Tests for Scripting FreeMarker

merge module org.apache.sling.scripting.freemarker.it into org.apache.sling.scripting.freemarker

sling trunk
Jan le Roux committed 1748286 (2 files)
Reviews: none

A patch from Mohammed Rehan Khan for "Getting console error while reading property value" https://issues.apache.org/jira/browse/OFBIZ-7331

We are getting same console error on following two screens.

Steps to regenerate:
1) Go to eCommerce
2) Click on Register link
3) After click on register link, we can see error on console.

1) Now click on profile link
2) Click on create new contact information link
3) select "postal address" contact type and click on create button
4) After click on create button, we can see error on console.

Console Error:
 Error executing FreeMarker template
     [java] freemarker.template.TemplateModelException: No error description was specified for this error; low-level message: java.lang.ClassNotFoundException: org.ofbiz.base.util.EntityUtilProperties
     [java]
     [java] ----
     [java] FTL stack trace ("~" means nesting-related):
     [java] - Failed at: #assign defaultCountryGeoId = Static[... [in template "component://ecommerce/template/customer/EditContactMech.ftl" at line 185, column 13]
     [java] ----
     [java] at freemarker.ext.beans.ClassBasedModelFactory.get(ClassBasedModelFactory.java:52) ~[freemarker-2.3.24.jar:2.3.24]
     [java] at freemarker.core.DynamicKeyName.dealWithStringKey(DynamicKeyName.java:140) ~[freemarker-2.3.24.jar:2.3.24]
     [java] at freemarker.core.DynamicKeyName._eval(DynamicKeyName.java:75) ~[freemarker-2.3.24.jar:2.3.24]
     [java] at freemarker.core.Expression.eval(Expression.java:81) ~[freemarker-2.3.24.jar:2.3.24]
     [java] at freemarker.core.Dot._eval(Dot.java:41) ~[freemarker-2.3.24.jar:2.3.24]
     [java] at freemarker.core.Expression.eval(Expression.java:81) ~[freemarker-2.3.24.jar:2.3.24]
     [java] at freemarker.core.MethodCall._eval(MethodCall.java:58) ~[freemarker-2.3.24.jar:2.3.24]
     [java] at freemarker.core.Expression.eval(Expression.java:81) ~[freemarker-2.3.24.jar:2.3.24]
     [java] at freemarker.core.Assignment.accept(Assignment.java:134) ~[freemarker-2.3.24.jar:2.3.24]
     [java] at freemarker.core.Environment.visit(Environment.java:326) [freemarker-2.3.24.jar:2.3.24]
     [java] at freemarker.core.Environment.visit(Environment.java:332) [freemarker-2.3.24.jar:2.3.24]
     [java] at freemarker.core.Environment.visit(Environment.java:332) [freemarker-2.3.24.jar:2.3.24]
     [java] at freemarker.core.Environment.visit(Environment.java:332) [freemarker-2.3.24.jar:2.3.24]
     [java] at freemarker.core.Environment.visit(Environment.java:332) [freemarker-2.3.24.jar:2.3.24]
     [java] at freemarker.core.Environment.visit(Environment.java:332) [freemarker-2.3.24.jar:2.3.24]
     [java] at freemarker.core.Environment.process(Environment.java:305) [freemarker-2.3.24.jar:2.3.24]
     [java] at org.ofbiz.base.util.template.FreeMarkerWorker.renderTemplate(FreeMarkerWorker.java:261)

Deepak Yadav committed 1746691 (27 files)
Reviews: none

(OFBIZ-7164) Fix typo in freemarker else tag.

ofbiz trunk
Ashish Pareek committed 1744918 (1 file)
Reviews: none

Applied patch from jira issue - OFBIZ-7103 - FreeMarker template error: Template inclusion failed, on selection bluelight theme.
Thanks Rahul for creating the jira issue and providing the patch for the same.

Ashish Pareek committed 1744849 (1 file)
Reviews: none

Applied bug fix from release branch 14.12 revision - 1744848.
==========================================
Applied bug fix from jira issue - OFBIZ-7074 - Error executing freeMarker template when generating inventory report.
It seems that these changes are being taken care in trunk and Release15.12 but doesn't get backported to 14.12 and 13.07. So committing these changes to both the branches.
Thanks so much Ravi for the contribution(creating the issue and providing the patch for the same).
==========================================