incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Murray Altheim (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-628) Load Plugin resources from classpath
Date Tue, 19 Jan 2010 05:10:54 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-628?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12802096#action_12802096
] 

Murray Altheim commented on JSPWIKI-628:
----------------------------------------

Having written quite a number of plugins myself, I must agree with Andrew on this, i.e., that
this should not be part of the core distribution. I have a number of plugins (such as the
GroovyPlugin) that are very useful for me working locally or within an intranet environment,
but completely unsuitable for use in a public, production environment. 

After all the effort that has lately gone into improving security, and considering the increasing
sophistication of security attacks, it would seem very counterproductive to add a new feature
that potentially opens a large security hole in the code, particularly considering the wholesale
damage that could be done in a wiki environment. It's hard to warrant any new features that
decrease security. For this reason alone I think it prudent to develop this plugin independently,
post it or a link to it on the JSPWiki site, and include appropriate warnings (as we do elsewhere)
on use of the plugin on public wiki sites. 

It may be very useful in secure environments but if it's part of the core distribution it
becomes part of every installation, which could be problematic. Admins who want this functionality
and understand the risks can easily install the plugin.



> Load Plugin resources from classpath
> ------------------------------------
>
>                 Key: JSPWIKI-628
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-628
>             Project: JSPWiki
>          Issue Type: Improvement
>    Affects Versions: 2.8.3
>            Reporter: J├╝rgen Weber
>
> Some plugins require the browser to load files. E.g. the FreeMindPlugin needs the browser
to load the applet's classes, or another plugin might need some flash code.
> Currently the solution is to attach these files to a page which has the sole purpose
of having the attachment. This is kind of awkward.
> JSPWiki should have a mechanism (in JSPFilter?) which would load the file from the classpath.
So for FreeMind the FreeMindPlugin.jar would additionally contain freemindbrowser.jar. The
plugin would generate some markup that would make the Filter recognize that the parameter
is to be loaded from classpath, e.g. <wiki:IncludeResource freemindbrowser.jar>
> I guess this could be done with a PageFilter, too, but the idea is to make installing
plugins easier and having to add a filters.xml would be counterproductive, so the mechanism
should go into core.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message