L3 - Default
The user can include arbitrary EL expressions when executing task queries. These expressions could be used for malicious acts such as deleting things...
- it is possible to toggle whether expressions in task queries are evaluated (such as taskAssigneeExpression); default: false
- it is possible to toggle whether expressions in filters are evaluated; default: true
- This (and other ways to submit server-side code such as process deployments) are documented in the user guide (e.g. scripting section); there are references to that section from the upgrade guide, REST API methods and the release notes
- it is possible to avoid remote code execution by setting both flags to false
- with the default settings, only authenticated users who are authorized to create filters may define server-side expressions
- it is no longer possible by default that any authenticated user can execute server-side expressions