KeyCloak/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-26 13:50:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Disable FreeMarker ?new() built-in in themes. Closes #47915 (#48280)

Browse Source 
Signed-off-by: Yike Gao <yikegao8@gmail.com>
This commit is contained in:
Yike Gao
2026-04-21 14:45:23 +01:00
committed by GitHub
parent 720b899ba7
commit fa58c07000
2 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/guides/ui-customization/themes.adoc
+3
View File
@@ -377,6 +377,9 @@ Themes can be deployed to {project_name} by copying the theme directory to `them
theme to the `themes` directory, but in production you may want to consider using an `archive`. An `archive` makes it simpler to have a versioned copy of
the theme, especially when you have multiple instances of {project_name} for example with clustering.
WARNING: Themes contain FreeMarker templates that the server renders at runtime, so a malicious template can run code as the {project_name} process. Install themes only from trusted sources, and restrict write access to the `themes` directory and to theme JARs under `providers/` to trusted operators.
.Procedure
. To deploy a theme as an archive, create a JAR archive with the theme resources.
services/src/main/java/org/keycloak/theme/freemarker/DefaultFreeMarkerProvider.java
+2
View File
@@ -13,6 +13,7 @@ import org.keycloak.theme.Theme;
import freemarker.cache.URLTemplateLoader;
import freemarker.core.HTMLOutputFormat;
import freemarker.core.TemplateClassResolver;
import freemarker.template.Configuration;
import freemarker.template.Template;
@@ -63,6 +64,7 @@ public class DefaultFreeMarkerProvider implements FreeMarkerProvider {
cfg.setOutputFormat(HTMLOutputFormat.INSTANCE);
}
cfg.setNewBuiltinClassResolver(TemplateClassResolver.ALLOWS_NOTHING_RESOLVER);
cfg.setTemplateLoader(new ThemeTemplateLoader(theme));
return cfg.getTemplate(templateName, "UTF-8");
}