velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Geir Magnusson Jr." <>
Subject Re: template encodings
Date Mon, 16 Jul 2001 22:47:15 GMT
Jonathan Revusky wrote:
> David Kinnvall wrote:
> >
> > From: "Jonathan Revusky" <>
> > > David Kinnvall wrote:
> > > > /etc/passwd is absolute and exists. Or am I missing something?
> > >
> > > Yes, I think you are definitely missing something. That's why there are
> > > security mechanisms in the OS and in the JVM. Modern computing is built
> > > on many levels and it is not really the role of template engine code to
> > > set security policies. Developers of code at that level of the equation
> > > should concentrate on making their product usable.
> >
> > It was an example. I agree with the rest you say, however.
> >
> > > Similarly, if I gave an XML parser an absolute path to a file to parse,
> > > it should not refuse to parse it in my better interests etcetera. I
> > > would consider that equally inappropriate.
> >
> > Indeed. To allow using templates with absolute paths in
> > any directory you wish _is_ a configuration option, though.
> Yes, I have been told that and I know that.
> >
> > > The use of '.' as a default is clearly broken, since it will basically
> > > never do anything useful. IMO, the default should probably be reading
> > > relative to the classloader and then system classpaths. I also think
> > > that if somebody says getTemplate("/full/path/to/file") it should fish
> > > out the template. At least in the default, out-of-the-box configuration,
> > > because you will definitely create scenarios where people bang their
> > > heads against the wall not understanding what is wrong.
> >
> > You are of course entitled to your opinion. To make what
> > you suggest the default in Velocity should be discussed
> > a bit more however, to find out whether it is indeed the
> > wish of the majority.
> I don't care that much really. I do agree that the use of absolute paths
> should be discouraged. I'm not sure that I can take the security hole
> argument that seriously, because I think it's pretty tenuous. As long as
> you don't put the raw templates somewhere that's visible to the outside
> world, I don't for the life of me see the issue. It's just that the
> approved pattern is surely to specify resources relative to the insides
> of a .war file. So these things should be loaded relative to the
> classloader classpath.

I was really trying to stay out of this hoping you would run out of
steam on this, but I can't resist here.

The core Velocity resource loaders have *no* notion of the concept of
running in a servlet engine, let alone a WAR file.  Velocity is general
purpose, not made for the web.  Therefore, the configuration assuptions
MUST be general.  This is why I say that while '.' isn't perfect, "/"
isn't either, because somone somewhere will not like the choice made.

That said, we provide a convenience base class 'VelcityServlet' which
offers a *suggestion* of how to use Velocity in a servlet environment,
but no demands - you don't have to use it.

Further, you can use servlet_example2, which does establish the root of
the webapp as the template path automaticall in a container that
supports it, so as a newbie user, you don't have to do anything to set
it up and just ask for templates relative to 'root', in this case the
root of the webapp.  And you don't even have to read the documentation.

> OTOH, the classloader classpath is *not* the default. The *default* is
> to load relative to '.' the current working directory and that really is
> useless AFAICS.
> Now, I still would argue that if somebody actually does specify an
> absolute file location in a call to getTemplate() that it should work in
> the out-of-the-box configuration. But hey, it's not *my* library, so all
> I can do is give my opinion on that and my reasoning.
> >
> > > Your example is silly, contrived really, because a naive template coder
> > > is not going to code #include "/etc/passwd" in a template anyway. Those
> > > people develop on Windows or Mac and don't even know that /etc/passwd
> > > exists.
> >
> > It was an example, contrived or not, of the fact that
> > there may very well be files accessible, with no OS
> > protection, that I do not wish template developers to
> > have access to, intentionally or not. If you are so
> > obviously determined to understand otherwise, I give
> > up this part of the discussion. It serves no purpose.
> Well, then the same argument applies to what you're telling me above. If
> the default were that absolute pathnames worked, you could change the
> configuration!
> I'm not talking about a deployment situation anyway. I'm talking about a
> situation where a newbie downloads the ruddy thing and tries to get a
> simple example going on his local box. IMO, this scenario should be made
> as easy as is possible! Like, c'mon, what security issue is there when
> you're trying to get Hello, World to run?

Yes - and there is an example that does it 'out of the box' including
simple README on how to do it.  No cofiguration needed.  If that is too
damn difficult, I will make a WAR and include that.  If that doesn't
work, maybe well offer onsite setup and demonstrations...

> >
> > > > Serious developers definitely read the documentation.
> > > > To suggest otherwise makes your case substantially weaker.
> > >
> > > This is utter bullshit. "Serious" developers do not *definitely* read
> > > the documentation. You (and Geir) will be well served to realize this.
> >
> > Right...
> >
> > > Serious developers typically start with the "Hello, World" example and
> > > start hacking around and trying to figure out how to do what they need
> > > to do from there.
> >
> > You have a different definition of serious developer than I do.
> > That is ok, but don't try to enforce your definition upon the
> > rest of the world, please.
> I don't know how many people would meet your definition of "serious
> developer".
> >
> > > If you claimed to me that you always fully read the documentation when
> > > trying to use something, I wouldn't even believe you. I would suspect
> > > insincerity.
> >
> > Did I claim that? No. I do claim, however, that I _do_
> > read enough docs to know what I am supposed to do to get
> > started, and to get a feel for what the developers intends
> > with their creation. How silly of me.
> No, I guess you didn't claim that about yourself. You made some claim
> about "serious developers" and I inferred that you were self-classifying
> as one. You did not even explicitly say that you were a "serious
> developer".
> I'm not that concerned with whether I myself am a "serious developer". I
> have some good work habits and some not so good ones. I usually get the
> job done. I do not have infinite patience when it comes to rooting
> around in docs though. I would venture to say that most people don't.
> >
> > > Look, I don't want to argue with you. You suffer from the same disease
> > > and, judging by what you're saying, you're a far worse gone case.
> >
> > Why, thank you. How nice of you. And constructive.
> You seem to be trying to be more reasonable now. I am trying too, so
> I'll retract that.
> >
> > > I did overreact to Geir. I was not in a good mood. I had a good night's
> > > sleep and feel more conciliatory. Look, overall, Geir is basically a
> > > good guy and he's right to keep trying to improve the documentation. But
> > > to think that everybody always reads the docs thorougly is outright
> > > silly. I don't think such nonsense should be encouraged.
> >
> > You did indeed overreact.
> >
> > Not in a good mood? You mean you are in a better
> > mood now? I would say that your accusation of me
> > suffering from some disease and being a "worse
> > gone case" is not a sign of being in a good mood.
> >
> > Geir is indeed a nice guy, as far as I have seen.
> Yeah, actually he seems okay. He is enthusiastic about Velocity and is
> putting a lot of work into it and that's good. Actually, he probably is
> more receptive to input than is readily obvious. He seems to spend huge
> energy justifying -- in cases, where somebody is not even making a
> criticism. I *never* said that the template encodings didn't work, yet
> he has repeatedly responded, as if I had indeed said that! I find it
> befuddling.

I kept responding because you didn't clearly get what I was saying, and
it appeared to me that you were confusing with the procedural
commonality of content created in the same encoding as the user base
with the technical procedure that Velocity goes through to handle
encodings.  What I was trying to say is that the input decoding process
is completely decoupled from the output encoding, something which
velocity doesn't need to worry about by design, as it takes a generic
Writer for rendering.

> >
> > I did not, nor did anyone else, suggest thet everybody
> > should, or does, read the docs _thoroughly_. I did however
> > suggest that I, and those I defined as serious developers,
> > read the docs to find out how things are supposed to be
> > setup for proper usage. Is that too much to ask?
> The general gamut of human behavior is what it is and neither you nor I
> are going to change it. I think that insisting that something is in the
> docs, therefore there's no issue, is naive. The fact that a command in a
> makefile must start with a literal tab character and not 4 or 8 spaces
> is in the docs somewhere, but I consider that to be pretty broken also.

That's why we use ant.


Geir Magnusson Jr.                 
System and Software Consulting
Developing for the web?  See
You have a genius for suggesting things I've come a cropper with!

View raw message