velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Geir Magnusson Jr." <ge...@optonline.net>
Subject Re: mergeTemplate() bug under Windows
Date Wed, 28 Mar 2001 18:20:01 GMT
Dan Finkelstein wrote:
> 
> Thanks Geir, we are using the first workaround you suggest -- calling
> Velocity.evaluate() and that works fine for us.  I now understand why the
> API was formed this way, but it can lead the unsuspecting down an unclear path.

Where else would you want to lead them? :)

I will get that documented somewhere.  I have the Javadoc done, as I was
working on the 'mergeTemplateFile()' method, waiting for some other
opinion.  With none apparently forthcoming...

> In our case, we had called
> 
>                          p.setProperty("resource.loader.1.resource.path", "/");
> 
> and essentially disabled the path support.  In this case, the "/" and an
> input filename of "C:/template.html" were converted to "/C:/template.html"
> by Velocity.

Hm. I wonder if you could have used 

  p.setProperty("resource.loader.1.resource.path", "c:/");

and then dropped the "c:" off of the template name.

I will try and test this later if no one beats me to it..

geir

> Thanks again,
> Dan
> 
> At 10:59 AM 3/27/01 -0500, you wrote:
> >Dan Finkelstein wrote:
> > >
> > > Hi --
> > >
> > > We've noticed the following problem in Velocity.  Under Windows, the
> > > following call
> > >
> > >         Velocity.mergeTemplate("C:/builds/template.html", ctx, fw);
> > >
> > > will fail.  (The slashes could be backslashes and the same problem occurs.)
> > >
> > > Internally, Velocity prepends a / character to "C:/builds/template.html"
> > > which makes the filename specification invalid, and the file can't be
> > > retrieved.
> >
> >The problem is that mergeTemplate() is using the usual resource loaders,
> >which prevent you from 'escaping' out of the template paths setup by the
> >Velocity configuration.
> >
> >Now, that is a security feature, intended for web use, to prevent sites
> >that may include a template name as part of the URL from allowing access
> >outside of the designated template paths setup by the administrator.
> >
> >I think this is a good feature as is because it allows an application to
> >get the advantages of the different loaders, but I also see where a
> >general application wouldn't want or need that extra burden of requiring
> >setup of the file resource loader to allow access from 'root', and it
> >gets even worse with the non-UNC file paths in Windows (  C:\, D:\, E:\
> >)
> >
> >So, for now
> >
> >1) As a workaround, you can simply read in your template as a stream,
> >and pass that to Velocity.evaluate() to get the same results.
> >
> >2) [PROPOSAL]  If no one objects, or has any better ideas (and I am sure
> >someone will), I am happy to add another method :
> >
> >    mergeTemplateFile( filename, context, writer)
> >
> >as a helper utility that avoids the configured loader, and gets the
> >resource directly from the filesystem using the filename argument
> >directly.
> >
> >geir
> >
> >
> >--
> >Geir Magnusson Jr.                               geirm@optonline.net
> >Developing for the web?  See http://jakarta.apache.org/velocity/

-- 
Geir Magnusson Jr.                               geirm@optonline.net
Developing for the web?  See http://jakarta.apache.org/velocity/

Mime
View raw message