Source changes - FishEye

Shows the 20 most recent commits for Apache Freemarker.

Daniel Takamori <pono@apache.org> committed 3965d9ffe2ecc26619e9e5f23403c0c194bfdaa0 (1 file)
Jacopo Cappellato committed 1792018 (3 files)
Reviews: none

Fixed: removed explicit includes of HtmlTemplate.ftl from FreeMarker templates
since this has been deprecated and it is no more supported.
(OFBIZ-9325)

Improved the nextPrev macro by moving some logic from the template to the macro.

Oliver Lietz committed 1785483 (1 file)
Reviews: none

SLING-6603 Update FreeMarker to 2.3.25-incubating

adjust feature

Oliver Lietz committed 1785466 (1 file)
Reviews: none

SLING-6603 Update FreeMarker to 2.3.25-incubating

remove obsolete configuration for boot delegation package

Oliver Lietz committed 1785437 (1 file)
Reviews: none

SLING-6603 Update FreeMarker to 2.3.25-incubating

fix scope

Jan le Roux committed 1784259 (1 file)
Reviews: none

No functional change, related with "Missing reference to the delegator in
framework/widget/templates/HtmlFormMacroLibrary.ftl"
(OFBIZ-9230)

To reproduce

1. Load test data <SystemProperty systemResourceId="widget"
systemPropertyId="widget.autocompleter.defaultMinLength"
systemPropertyValue="3"/>
2. Open https://localhost:8443/partymgr/control/main
3. You will still get warning below in log file


|EntityUtilProperties |I| Could not get a system property for
widget.autocompleter.defaultMinLength : null


jleroux: the reason is in the context of a FTL macro we lose the delegator
(in context) when calling
executeMacro(writer, sr.toString());
from
MacroFormRenderer.renderTextField()
So we need to find a way to pass the delegator to be used when evaluating
the Freemarker template. For now I have simply added a clearer explanation
of the reason.

Thanks: Wei Zhang for report

Michael Blow <mblow@apache.org> committed 1355c269f50e84087ed24cb0ec9f091d2ce19a5a (59 files)
Reviews: none

ASTERIXDB-1720 - Generate License / Notice Files
- Includes Maven plugin to analyze dependencies & assemble LICENSE &
  NOTICE files using Apache FreeMarker templates, formatting to desired
  LICENSE & NOTICE output format.
- LICENSE & NOTICE files for the 'asterix-server', 'asterix-installer',
  and 'asterix-yarn' binary assemblies are generated by the build
- Automated LICENSE & NOTICE file generation for source release is not
  addressed by this patch
- Fixes ASTERIXDB-1311: Add Rome Apache 2.0 License in the LICENSE/NOTICE

Change-Id: I0963a85cb2be47dbf6bfd8c7f6fec767ef32e7e2
Reviewed-on: https://asterix-gerrit.ics.uci.edu/1402
Sonar-Qube: Jenkins <jenkins@fulliautomatix.ics.uci.edu>
Reviewed-by: Till Westmann <tillw@apache.org>
Tested-by: Jenkins <jenkins@fulliautomatix.ics.uci.edu>

asterixdb release-0.8.9
Jacopo Cappellato committed 1771927 (2 files)
Reviews: none

[Implemented]: Upgraded Freemarker to the latest release 2.3.25.

This upgrade fixes the SuppressFBWarnings warnings occuring at compilation time.

Jacopo Cappellato committed 1762227 (15 files)
Reviews: none

Improved: cleanups and enhancements in the FreeMarkerWorker class, and client
code using it, that wraps most of the OFBiz integration with FreeMarker.

This is the list of the main modifications:
* simplified and cleaned up the public methods of FreeMarkerWorker, used to
retrieve and render Freemarker templates and changed client code accordingly to
use them
* removed unused methods in FreeMarkerWorker and made some others private
* improved the integration code in FreeMarkerWorker to better use the Freemarker
API and specifically to leverage the various TemplateLoaders and the Freemarker
caching mechanism; it is now possible to switch the OFBiz legacy template
caching mechanism to use the Freemarker one instead
* improved the implementation of Freemarker template rendering from strings
(used by DataResourceWorker): it now leverages the Freemarker's
StringTemplateLoader that provides the ability to cache the strings, retrieved
from DataResources records, based on the timestamp of the last modification
* moved freemarkerImports.properties from "widget" to "base" component, and
changed its content (and the content of the associated templates
AutoImportTemplate.ftl and HtmlTemplate.ftl) to remove the dependency from base
to widget&common; some resources of "widget" and "common" are still referenced
from AutoImportTemplate.ftl (that is in "base") but even if they are soft
dependencies: if they are missing the system will load properly without any
error or warning; before this change it was impossible to use, or unit test,
FreeMarkerWorker before the "widget" and "common" components were loaded by the
system, now it is possible
* created a new class for unit tests for FreeMarkerWorker, named
FreeMarkerWorkerTests: at the moment it contains just one simple unit test but
more should be implemented
* refactored WebToolsServices.entityImport(...) to leverage the
FreeMarkerWorker.renderTemplate(...) method to run the Freemarker template,
rather than dealing with the Freemarker API directly; this is now possible
thanks to the cleanups and improvements done in the FreeMarkerWorker class; this
same approach should be implemented for a few other similar integration points
(mostly in the "content" component); this is a TODO item
* moved the encodeDoubleQuotes(...) method from FreeMarkerWorker to
MacroFormRenderer and made it private since this is the only calss using it and
its logic is not related to FreeMarker

Jan le Roux committed 1761987 (1 file)
Reviews: none

Oops this should not have been removed at r1761986

[CVE-2016-4462] OFBiz template remote code vulnerability
By manipulating the URL parameter externalLoginKey, a malicious, logged in
user could pass valid Freemarker directives to the Template Engine that are
reflected on the webpage; a specially crafted Freemarker template could be
used for remote code execution.

Jan le Roux committed 1761986 (6 files)
Reviews: none

"Applied fix from trunk for revision: 1761978" (conflict handled by hand)
------------------------------------------------------------------------
r1761978 | jleroux | 2016-09-22 18:52:56 +0200 (jeu. 22 sept. 2016) | 15 lignes

Fixes: Sorting of lists generates undesired results
(OFBIZ-8302)

This was due to r1759555 has Scott spotted on. r1759555 fixed a vulnerability
but as explained in r1759555 commit message we used
>2 redundant mechanisms (better safe than sorry):
>1) linkUrl = URLEncoder.encode(linkUrl, "UTF-8");
>2) sr.append("\" linkUrl=r\"");

Removing the 1st way fixes the reported issue and we are still safe.

I'll have a look at how the catalog/control/FindProduct URL is generated to be
sure it's OK as is

Thanks: Pierre for report, Scott for spotting the issue.
------------------------------------------------------------------------

[CVE-2016-4462] OFBiz template remote code vulnerability
By manipulating the URL parameter externalLoginKey, a malicious, logged in
user could pass valid Freemarker directives to the Template Engine that are
reflected on the webpage; a specially crafted Freemarker template could be
used for remote code execution.

Jan le Roux committed 1761978 (1 file)
Reviews: none

Fixes: Sorting of lists generates undesired results
(OFBIZ-8302)

This was due to r1759555 has Scott spotted on. r1759555 fixed a vulnerability
but as explained in r1759555 commit message we used
>2 redundant mechanisms (better safe than sorry):
>1) linkUrl = URLEncoder.encode(linkUrl, "UTF-8");
>2) sr.append("\" linkUrl=r\"");

Removing the 1st way fixes the reported issue and we are still safe.

I'll have a look at how the catalog/control/FindProduct URL is generated to be
sure it's OK as is

Thanks: Pierre for report, Scott for spotting the issue.

[CVE-2016-4462] OFBiz template remote code vulnerability
By manipulating the URL parameter externalLoginKey, a malicious, logged in
user could pass valid Freemarker directives to the Template Engine that are
reflected on the webpage; a specially crafted Freemarker template could be
used for remote code execution.

Michael Brohl committed 1761591 (1 file)
Reviews: none

Improved: Remove the creation of the temporary git/svn footer files.

The files were created because of a bug in the TemplateLoader for Freemarker, see OFBIZ-8292. This is fixed so this is not needed anymore.

Thanks: Jacopo for the TemplateLoader fix.

Jacopo Cappellato committed 1761586 (2 files)
Reviews: none

Fix for: Freemarker's ignore_missing attribute of the #include directive was not
working because of an issue in the OFBiz custom TemplateLoader for Freemarker
templates.
(OFBIZ-8292)

The OFBiz custom TemplateLoader now returns null if the resource is missing as
required by the TemplateLoader specification.
Additional cleanups for unused methods in the FreeMarkerWorker class and some
minor fine tuning; improved the way errors are rendered: now the full stack
trace is not shown in the screen but only in the logs.

Thanks: Jacques Le Roux for the report.

Jan le Roux committed 1761392 (5 files)
Reviews: none

Improves: Use ignore_missing option of the <#include Freemarker directive when fixed
(OFBIZ-8292)

This is a no functional change except for the flatgrey and blueligth themes where svn and git info are added

Working on OFBIZ-8250 and after Deepak at OFBIZ-7942 (too bad I missed that :/) I found that the ignore_missing option of the <#include Freemarker directive does not work. I reported to the Freemarker incubating project.
Hopefully this will be fixed. It will then remove the need of creating empty files for the svn and git info footers when building.

In the meantime this provides the change in the themes footers.
I have also added the svn and git info to the flatgrey footer. The result is barely legible there but is also used (include) by the bluelight theme where it's OK
I have also formatted the related div where it was barely legible (too large)

Jinfeng Ni <jni@apache.org> committed 2081d76c9cfa33a796dba8a2676747edeccd9dfe (68 files)
Reviews: none

DRILL-4967: Adding template_name to source code generated using freemarker template.
close apache/drill#629

drill 1.9.0