velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Finkelstein <dan.finkelst...@emind.com>
Subject Re: mergeTemplate() bug under Windows
Date Wed, 28 Mar 2001 17:16:39 GMT
Thanks Geir, we are using the first workaround you suggest -- calling 
Velocity.evaluate() and that works fine for us.  I now understand why the 
API was formed this way, but it can lead the unsuspecting down an unclear path.

In our case, we had called

                         p.setProperty("resource.loader.1.resource.path", "/");

and essentially disabled the path support.  In this case, the "/" and an 
input filename of "C:/template.html" were converted to "/C:/template.html" 
by Velocity.

Thanks again,
Dan


At 10:59 AM 3/27/01 -0500, you wrote:
>Dan Finkelstein wrote:
> >
> > Hi --
> >
> > We've noticed the following problem in Velocity.  Under Windows, the
> > following call
> >
> >         Velocity.mergeTemplate("C:/builds/template.html", ctx, fw);
> >
> > will fail.  (The slashes could be backslashes and the same problem occurs.)
> >
> > Internally, Velocity prepends a / character to "C:/builds/template.html"
> > which makes the filename specification invalid, and the file can't be
> > retrieved.
>
>The problem is that mergeTemplate() is using the usual resource loaders,
>which prevent you from 'escaping' out of the template paths setup by the
>Velocity configuration.
>
>Now, that is a security feature, intended for web use, to prevent sites
>that may include a template name as part of the URL from allowing access
>outside of the designated template paths setup by the administrator.
>
>I think this is a good feature as is because it allows an application to
>get the advantages of the different loaders, but I also see where a
>general application wouldn't want or need that extra burden of requiring
>setup of the file resource loader to allow access from 'root', and it
>gets even worse with the non-UNC file paths in Windows (  C:\, D:\, E:\
>)
>
>So, for now
>
>1) As a workaround, you can simply read in your template as a stream,
>and pass that to Velocity.evaluate() to get the same results.
>
>2) [PROPOSAL]  If no one objects, or has any better ideas (and I am sure
>someone will), I am happy to add another method :
>
>    mergeTemplateFile( filename, context, writer)
>
>as a helper utility that avoids the configured loader, and gets the
>resource directly from the filesystem using the filename argument
>directly.
>
>geir
>
>
>--
>Geir Magnusson Jr.                               geirm@optonline.net
>Developing for the web?  See http://jakarta.apache.org/velocity/


Mime
View raw message