incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Jaquith (JIRA)" <>
Subject [jira] Closed: (JSPWIKI-628) Load Plugin resources from classpath
Date Mon, 18 Jan 2010 01:42:54 GMT


Andrew Jaquith closed JSPWIKI-628.

    Resolution: Won't Fix

As described, this enhancement request represents a significant security risk. Allowing a
plugin to load (and possible execute) arbitrary Java classes would be very unwise. This risk
would be compounded by the fact that few servers run JSPWiki with a security manager, meaning
that a malicious party might have the run over the entire server.

That said, if a website operator wishes to change the JSPs to allow particular applets to
load, that would be fine. The can do that today. But having a general purpose classloading
capability, able to be invoked by anyone, is a recipe for trouble. 

But perhaps I misunderstood your request? If I misunderstood, please re-open and re-state...
and make sure you document any security considerations that would be part of this enhancement.

> Load Plugin resources from classpath
> ------------------------------------
>                 Key: JSPWIKI-628
>                 URL:
>             Project: JSPWiki
>          Issue Type: Improvement
>    Affects Versions: 2.8.3
>            Reporter: J├╝rgen Weber
> Some plugins require the browser to load files. E.g. the FreeMindPlugin needs the browser
to load the applet's classes, or another plugin might need some flash code.
> Currently the solution is to attach these files to a page which has the sole purpose
of having the attachment. This is kind of awkward.
> JSPWiki should have a mechanism (in JSPFilter?) which would load the file from the classpath.
So for FreeMind the FreeMindPlugin.jar would additionally contain freemindbrowser.jar. The
plugin would generate some markup that would make the Filter recognize that the parameter
is to be loaded from classpath, e.g. <wiki:IncludeResource freemindbrowser.jar>
> I guess this could be done with a PageFilter, too, but the idea is to make installing
plugins easier and having to add a filters.xml would be counterproductive, so the mechanism
should go into core.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message