Source changes - FishEye

Shows the 20 most recent commits for Apache Freemarker.

Arina Ielchiieva <arina.yelchiyeva@gmail.com> committed 27b6605fab5a52526c2abb5a90c649febe725905 (3 files)
Reviews: none

DRILL-5849: Add freemarker lib to dependencyManagement to ensure proper version is used when resolving dependency version conflicts
closes #977

Lukasz Lenart <lukaszlenart@apache.org> committed 64fa814a5a7d15b40b1f58bcdbafd6651b6ffb13 (1 file)
Reviews: none

WW-4850 Upgrades to the latest FreeMarker version

nmalin committed 1806134 (15 files)
Reviews: none

Implemented: Continue the common-theme upload (OFBIZ-9138 Create a common theme)
Four step load the visualTheme in user session, freemarker, screen, groovy and service context
Add util to resolve easily a visualTheme

ofbiz trunk
Daniel Takamori <pono@apache.org> committed 3965d9ffe2ecc26619e9e5f23403c0c194bfdaa0 (1 file)
Jacopo Cappellato committed 1792018 (3 files)
Reviews: none

Fixed: removed explicit includes of HtmlTemplate.ftl from FreeMarker templates
since this has been deprecated and it is no more supported.
(OFBIZ-9325)

Improved the nextPrev macro by moving some logic from the template to the macro.

Oliver Lietz committed 1785483 (1 file)
Reviews: none

SLING-6603 Update FreeMarker to 2.3.25-incubating

adjust feature

Oliver Lietz committed 1785466 (1 file)
Reviews: none

SLING-6603 Update FreeMarker to 2.3.25-incubating

remove obsolete configuration for boot delegation package

Oliver Lietz committed 1785437 (1 file)
Reviews: none

SLING-6603 Update FreeMarker to 2.3.25-incubating

fix scope

Jan le Roux committed 1784259 (1 file)
Reviews: none

No functional change, related with "Missing reference to the delegator in
framework/widget/templates/HtmlFormMacroLibrary.ftl"
(OFBIZ-9230)

To reproduce

1. Load test data <SystemProperty systemResourceId="widget"
systemPropertyId="widget.autocompleter.defaultMinLength"
systemPropertyValue="3"/>
2. Open https://localhost:8443/partymgr/control/main
3. You will still get warning below in log file


|EntityUtilProperties |I| Could not get a system property for
widget.autocompleter.defaultMinLength : null


jleroux: the reason is in the context of a FTL macro we lose the delegator
(in context) when calling
executeMacro(writer, sr.toString());
from
MacroFormRenderer.renderTextField()
So we need to find a way to pass the delegator to be used when evaluating
the Freemarker template. For now I have simply added a clearer explanation
of the reason.

Thanks: Wei Zhang for report

Michael Blow <mblow@apache.org> committed 1355c269f50e84087ed24cb0ec9f091d2ce19a5a (59 files)
Reviews: none

ASTERIXDB-1720 - Generate License / Notice Files
- Includes Maven plugin to analyze dependencies & assemble LICENSE &
  NOTICE files using Apache FreeMarker templates, formatting to desired
  LICENSE & NOTICE output format.
- LICENSE & NOTICE files for the 'asterix-server', 'asterix-installer',
  and 'asterix-yarn' binary assemblies are generated by the build
- Automated LICENSE & NOTICE file generation for source release is not
  addressed by this patch
- Fixes ASTERIXDB-1311: Add Rome Apache 2.0 License in the LICENSE/NOTICE

Change-Id: I0963a85cb2be47dbf6bfd8c7f6fec767ef32e7e2
Reviewed-on: https://asterix-gerrit.ics.uci.edu/1402
Sonar-Qube: Jenkins <jenkins@fulliautomatix.ics.uci.edu>
Reviewed-by: Till Westmann <tillw@apache.org>
Tested-by: Jenkins <jenkins@fulliautomatix.ics.uci.edu>

asterixdb release-0.9.1
Jacopo Cappellato committed 1771927 (2 files)
Reviews: none

[Implemented]: Upgraded Freemarker to the latest release 2.3.25.

This upgrade fixes the SuppressFBWarnings warnings occuring at compilation time.

Jacopo Cappellato committed 1762227 (15 files)
Reviews: none

Improved: cleanups and enhancements in the FreeMarkerWorker class, and client
code using it, that wraps most of the OFBiz integration with FreeMarker.

This is the list of the main modifications:
* simplified and cleaned up the public methods of FreeMarkerWorker, used to
retrieve and render Freemarker templates and changed client code accordingly to
use them
* removed unused methods in FreeMarkerWorker and made some others private
* improved the integration code in FreeMarkerWorker to better use the Freemarker
API and specifically to leverage the various TemplateLoaders and the Freemarker
caching mechanism; it is now possible to switch the OFBiz legacy template
caching mechanism to use the Freemarker one instead
* improved the implementation of Freemarker template rendering from strings
(used by DataResourceWorker): it now leverages the Freemarker's
StringTemplateLoader that provides the ability to cache the strings, retrieved
from DataResources records, based on the timestamp of the last modification
* moved freemarkerImports.properties from "widget" to "base" component, and
changed its content (and the content of the associated templates
AutoImportTemplate.ftl and HtmlTemplate.ftl) to remove the dependency from base
to widget&common; some resources of "widget" and "common" are still referenced
from AutoImportTemplate.ftl (that is in "base") but even if they are soft
dependencies: if they are missing the system will load properly without any
error or warning; before this change it was impossible to use, or unit test,
FreeMarkerWorker before the "widget" and "common" components were loaded by the
system, now it is possible
* created a new class for unit tests for FreeMarkerWorker, named
FreeMarkerWorkerTests: at the moment it contains just one simple unit test but
more should be implemented
* refactored WebToolsServices.entityImport(...) to leverage the
FreeMarkerWorker.renderTemplate(...) method to run the Freemarker template,
rather than dealing with the Freemarker API directly; this is now possible
thanks to the cleanups and improvements done in the FreeMarkerWorker class; this
same approach should be implemented for a few other similar integration points
(mostly in the "content" component); this is a TODO item
* moved the encodeDoubleQuotes(...) method from FreeMarkerWorker to
MacroFormRenderer and made it private since this is the only calss using it and
its logic is not related to FreeMarker

Jan le Roux committed 1761987 (1 file)
Reviews: none

Oops this should not have been removed at r1761986

[CVE-2016-4462] OFBiz template remote code vulnerability
By manipulating the URL parameter externalLoginKey, a malicious, logged in
user could pass valid Freemarker directives to the Template Engine that are
reflected on the webpage; a specially crafted Freemarker template could be
used for remote code execution.

Jan le Roux committed 1761986 (6 files)
Reviews: none

"Applied fix from trunk for revision: 1761978" (conflict handled by hand)
------------------------------------------------------------------------
r1761978 | jleroux | 2016-09-22 18:52:56 +0200 (jeu. 22 sept. 2016) | 15 lignes

Fixes: Sorting of lists generates undesired results
(OFBIZ-8302)

This was due to r1759555 has Scott spotted on. r1759555 fixed a vulnerability
but as explained in r1759555 commit message we used
>2 redundant mechanisms (better safe than sorry):
>1) linkUrl = URLEncoder.encode(linkUrl, "UTF-8");
>2) sr.append("\" linkUrl=r\"");

Removing the 1st way fixes the reported issue and we are still safe.

I'll have a look at how the catalog/control/FindProduct URL is generated to be
sure it's OK as is

Thanks: Pierre for report, Scott for spotting the issue.
------------------------------------------------------------------------

[CVE-2016-4462] OFBiz template remote code vulnerability
By manipulating the URL parameter externalLoginKey, a malicious, logged in
user could pass valid Freemarker directives to the Template Engine that are
reflected on the webpage; a specially crafted Freemarker template could be
used for remote code execution.

Jan le Roux committed 1761978 (1 file)
Reviews: none

Fixes: Sorting of lists generates undesired results
(OFBIZ-8302)

This was due to r1759555 has Scott spotted on. r1759555 fixed a vulnerability
but as explained in r1759555 commit message we used
>2 redundant mechanisms (better safe than sorry):
>1) linkUrl = URLEncoder.encode(linkUrl, "UTF-8");
>2) sr.append("\" linkUrl=r\"");

Removing the 1st way fixes the reported issue and we are still safe.

I'll have a look at how the catalog/control/FindProduct URL is generated to be
sure it's OK as is

Thanks: Pierre for report, Scott for spotting the issue.

[CVE-2016-4462] OFBiz template remote code vulnerability
By manipulating the URL parameter externalLoginKey, a malicious, logged in
user could pass valid Freemarker directives to the Template Engine that are
reflected on the webpage; a specially crafted Freemarker template could be
used for remote code execution.