velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Will Glass-Husain <wglasshus...@gmail.com>
Subject Re: Should I use velocity?
Date Wed, 31 Mar 2010 14:53:26 GMT
Hi,

All of this only applies if you have untrusted users uploading templates.
If you are writing templates, no problem.  But if other users upload
templates to your system, you need to be careful.

Template authors may call methods on any object you put in the context.
This is very convenient but means you have to be careful about your
objects.  Best practice is to wrap objects and provide only Get methods for
the specific properties.  I think the SecurityManager advice is overkill.

You may see references in that article or in the list to an older problem in
which you could call ClassLoader related methods, instantiate a class, then
call arbitrary methods on arbitrary objects.  That bug has been long fixed
with the introduction of the SecureIntrospector which restricts class loader
related method calls.

WILL

On Wed, Mar 31, 2010 at 7:31 AM, sebb <sebbaz@gmail.com> wrote:

> The Wiki page
>
> http://wiki.apache.org/velocity/BuildingSecureWebApplications
>
> has some good advice:
>
> "It's good practice to configure a Java Security Manager to restrict
> access to files (outside of the web tree and template paths) and
> dangerous methods such as System.exit() and getClassLoader. "
>
>
> On 31/03/2010, Alexander Krasnukhin <the.malkolm@gmail.com> wrote:
> > Yep, I did mean invoke any public method for any object in context. So do
> as
> >  somebody already said - pass immutable objects to prevent malicious
> actions
> >  from custom template e.g. it isn't a good decision to pass 'alive'
> business
> >  object as is to Velocity context.
> >
> >
> >  On 31 March 2010 05:25, ChadDavis <chadmichaeldavis@gmail.com> wrote:
> >
> >  > On Tue, Mar 30, 2010 at 4:22 PM, Treague, Keith
> >  > <Keith.Treague@merrillcorp.com> wrote:
> >  > > Can you please elaborate how?
> >  > >
> >  >
> >  > I don't think he means arbitrary exactly, but the Velocity Template
> >  > Language allows you to invoke methods, like myObect.myMethod().  So,
> >  > any object in the velocity context is subject to any of it's public
> >  > methods being invoked.
> >  >
> >  > ---------------------------------------------------------------------
> >  > To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
> >  > For additional commands, e-mail: user-help@velocity.apache.org
> >  >
> >  >
> >
> >
> >
> > --
> >  Regards,
> >
> > Alexander
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
> For additional commands, e-mail: user-help@velocity.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message