Re: security audit

Actually, I have already went through the Java API and identified those
methods that shouldn't be allowed to be called from a template. The list is
used in FreeMarker to restrict calls to methods at its default security
level (FreeMarker actually has security levels for accessing methods...)

You can find the list at (watch for line breaks), hope you can have some use
of it.

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/freemarker/freemar
ker/src/freemarker/ext/beans/unsafeMethods.txt?rev=HEAD&content-type=text/pl
ain

I think the methods in this list are quite reasonable to prevent from being
called from a template.

Naturally, that's only part of the solution. If you want to prevent the code
inside the called method to perform System.exit() etc., you have to resort
to the Java security system. Filtering unsafe methods only helps protect
against direct calls to unsafe methods when you can't otherwise affect the
security policy, but is far from complete security. Again, that's about as
much safety as you can guarantee from the template engine level. Additional
security against unsafe calls deeper in the call graph has to come from
properly set up and enforced Java security policy.

Attila.