velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Revusky <jrevu...@terra.es>
Subject Re: template encodings
Date Mon, 16 Jul 2001 23:35:02 GMT
"Geir Magnusson Jr." wrote:
> 
> Jonathan Revusky wrote:
> >
> > David Kinnvall wrote:
> > >
> > > From: "Jonathan Revusky" <jrevusky@terra.es>
> > > > David Kinnvall wrote:
> > > > > /etc/passwd is absolute and exists. Or am I missing something?
> > > >
> > > > Yes, I think you are definitely missing something. That's why there are
> > > > security mechanisms in the OS and in the JVM. Modern computing is built
> > > > on many levels and it is not really the role of template engine code to
> > > > set security policies. Developers of code at that level of the equation
> > > > should concentrate on making their product usable.
> > >
> > > It was an example. I agree with the rest you say, however.
> > >
> > > > Similarly, if I gave an XML parser an absolute path to a file to parse,
> > > > it should not refuse to parse it in my better interests etcetera. I
> > > > would consider that equally inappropriate.
> > >
> > > Indeed. To allow using templates with absolute paths in
> > > any directory you wish _is_ a configuration option, though.
> >
> > Yes, I have been told that and I know that.
> >
> > >
> > > > The use of '.' as a default is clearly broken, since it will basically
> > > > never do anything useful. IMO, the default should probably be reading
> > > > relative to the classloader and then system classpaths. I also think
> > > > that if somebody says getTemplate("/full/path/to/file") it should fish
> > > > out the template. At least in the default, out-of-the-box configuration,
> > > > because you will definitely create scenarios where people bang their
> > > > heads against the wall not understanding what is wrong.
> > >
> > > You are of course entitled to your opinion. To make what
> > > you suggest the default in Velocity should be discussed
> > > a bit more however, to find out whether it is indeed the
> > > wish of the majority.
> >
> > I don't care that much really. I do agree that the use of absolute paths
> > should be discouraged. I'm not sure that I can take the security hole
> > argument that seriously, because I think it's pretty tenuous. As long as
> > you don't put the raw templates somewhere that's visible to the outside
> > world, I don't for the life of me see the issue. It's just that the
> > approved pattern is surely to specify resources relative to the insides
> > of a .war file. So these things should be loaded relative to the
> > classloader classpath.
> 
> I was really trying to stay out of this hoping you would run out of
> steam on this, but I can't resist here.
> 
> The core Velocity resource loaders have *no* notion of the concept of
> running in a servlet engine, let alone a WAR file.  Velocity is general
> purpose, not made for the web.  Therefore, the configuration assuptions
> MUST be general.  This is why I say that while '.' isn't perfect, "/"
> isn't either, because somone somewhere will not like the choice made.

Well, you do seem argumentative, Geir. You certainly *can* make loading
from the classpath the default behavior whether you have a servlet or
not. (Meanwhile, in practice, 99% of your user base is using Velocity
for servlets probably...) But for better or for worse, stand-alone java
apps also have a classpath. I mean, it's like there's this argumentative
compulsion to imply that I'm just not getting it somehow... 

(You don't know me, I know, but I really am a very strong java
developer, you know... I do understand this stuff! :-))

Jonathan Revusky
--
available for Java/Delphi/Internet consulting
If you want to...
- make your .class files double-clickable with SmartJ
- do Delphi/Java mixed programming with easy-to-use JNI wrapper classes
- build robust web applications with the Niggle Application Framework
then...
check out the Revusky Hacks Page: http://www.revusky.com/hacks/

Mime
View raw message