packages/velocity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
velocity/CVE-2020-13936-3.patch

25 lines
1.1 KiB
Diff
Raw Normal View History

fix CVE-2020-13936
2021-04-23 15:45:52 +08:00
From aa82d7d8ea65b80b486e1468883f4c352d78fded Mon Sep 17 00:00:00 2001
From: Will Glass-Husain <wglass@forio.com>
Date: Wed, 5 Aug 2020 20:59:36 -0700
Subject: [PATCH] add further tomcat class to restricted list
---
.../org/apache/velocity/runtime/defaults/velocity.properties | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
index fd1063a..5516d53 100644
--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
@@ -268,6 +268,7 @@ introspector.restrict.classes = java.lang.ThreadLocal
# Restrict instance managers for common servlet containers (Tomcat, JBoss, Jetty)
introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager
+introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager
introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager
introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory
--
2.23.0
Reference in New Issue Copy Permalink