FreeMarker 1.7.1 contains an important security fix for users of the FileTemplateCache or the FileBinaryCache. The fix prevents templates from accessing content outside the cache root directory.
In previous releases of FreeMarker, template caches could be fooled into retrieving documents outside the template cache directory. This could occur when _all_ of the following circumstances are met:
* The LOAD_ON_DEMAND or NULL_CACHE caching strategies are used
* An unchecked user-supplied variable is passed into a FreeMarker <include> instruction
A malicious user could use this loophole to retrieve files from other parts of the file system, such as password files, etc. FreeMarker 1.7.1 provides a fix for the loophole by checking for relative paths that try to escape the cache directory before retrieving the requested file.
How long has this bug existed in FreeMarker? At least since 1.5.2, and possibly earlier versions have the same issue. Users of FreeMarker who may have vulnerable installations should upgrade to 1.7.1 as soon as possible.