Denied resolving class [...] error is shown in custom FreeMarker/Velocity templates (LSV-658)
István Gergely-Tárnoki
更新
Issue
Custom FreeMarker and Velocity templates generate the following error after installing a fix pack: Denied resolving class [...] by org.apache
Environment
Liferay DXP 7.0 FP92+
Liferay DXP 7.1 FP18+/SP5+
Liferay DXP 7.2 FP6+/SP2+
Resolution
The behavior originates from an intentional change due to security vulnerability documented in LSV-658.
In Liferay DXP 7.0, 7.1, and 7.2, the template API gives users access to sensitive objects, which allows remote authenticated users to execute arbitrary code via FreeMarker and Velocity templates. Therefore certain packages that are exposed to the risk of circumventing the sandbox and achieving remote code execution were disabled in newer Fix Packs.
If you are using a Hotfix that requires the Fix Packs indicated above, your installation may be impacted.
The following packages were added to the default list of Restricted Packages of the FreeMarker Engine and Velocity Engine System Settings configurations, thus if your system is using a customized version of these configurations, you have to review and update your settings accordingly. If you have custom templates relying on these restricted packages reconsider their usage before re-enabling them:
com.liferay.portal.spring.context
com.ibm
io.undertow
org.apache
org.glassfish
org.jboss
org.springframework
org.wildfly
weblogic
You can re-enable your template by:
Removing the org.apache package from the restricted packages in the Control Panel -> Configuration -> System settings -> Foundation -> Velocity Engine/FreeMarker Engine
Then restart your server (or you can restart the Liferay Portal Template FreeMarker/Liferay Portal Template Velocity bundles through the App Manager).
However, we suggest you consider use alternatives since those packages have been disabled for security reasons.
