velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Geir Magnusson Jr." <ge...@optonline.net>
Subject Re: template encodings
Date Tue, 17 Jul 2001 00:22:04 GMT
Jonathan Revusky wrote:
> 
> "Geir Magnusson Jr." wrote:
> >
> > Jonathan Revusky wrote:
> > >
> > >
> > > I don't care that much really. I do agree that the use of absolute paths
> > > should be discouraged. I'm not sure that I can take the security hole
> > > argument that seriously, because I think it's pretty tenuous. As long as
> > > you don't put the raw templates somewhere that's visible to the outside
> > > world, I don't for the life of me see the issue. It's just that the
> > > approved pattern is surely to specify resources relative to the insides
> > > of a .war file. So these things should be loaded relative to the
> > > classloader classpath.
> >
> > I was really trying to stay out of this hoping you would run out of
> > steam on this, but I can't resist here.
> >
> > The core Velocity resource loaders have *no* notion of the concept of
> > running in a servlet engine, let alone a WAR file.  Velocity is general
> > purpose, not made for the web.  Therefore, the configuration assuptions
> > MUST be general.  This is why I say that while '.' isn't perfect, "/"
> > isn't either, because somone somewhere will not like the choice made.
> 
> Well, you do seem argumentative, Geir. You certainly *can* make loading
> from the classpath the default behavior whether you have a servlet or
> not. (Meanwhile, in practice, 99% of your user base is using Velocity
> for servlets probably...) But for better or for worse, stand-alone java
> apps also have a classpath. I mean, it's like there's this argumentative
> compulsion to imply that I'm just not getting it somehow...

I admit I had lustful zeal for argument in my younger days, mostly on
alt.fan.bill-gates, but no more.

At this point, you are starting to change what I am apparently being
argumentative about.

You are right. You *can* make loading from the classpath the default
behavior, however files are the most common way people do it 'out of the
box' and don't want/need to diddle with the classpath.

Read what you wrote above.  You blew off David's argument by making a
statement entirely in conflict with your fundamental assertion driving
this thread.   I follwed up nothing that Velocity isn't web specific -
and I should have added that there is no 'approved pattern' in general. 
Yes, there is an approved pattern for the web, and yes that's the
majority of users, but it is still general purpose.

Your fundamental assertion, as I understand it, is that any template
request specified from the root of the filesystem should be honored by
default.

However, you then said 

"As long as you don't put the raw templates somewhere that's visible to
the outside world, I don't for the life of me see the issue."

If any file on the file system is accessable, then raw templates,
password files, mail lists, credit card numbers, database files, are all
possibly visible to the outside world.

You then followed it with

"It's just that the approved pattern is surely to specify resources
relative to the insides of a .war file."

in which case your fundamental assertion is again in conflict, because
thats not the root of the filesystem either.

Further, to load from the root of war, you either need to configure the
FileResourceLoader correctly (which servlet_example2) does, or use a
loader like the ClasspathResourceLoader within which the 'root of the
filesystem' is a meaningless concept.

> (You don't know me, I know, but I really am a very strong java
> developer, you know... I do understand this stuff! :-))

I have never once publicly questioned your competence.  That isn't
really germaine to the discussion.

geir

-- 
Geir Magnusson Jr.                           geirm@optonline.net
System and Software Consulting
Developing for the web?  See http://jakarta.apache.org/velocity/
You have a genius for suggesting things I've come a cropper with!

Mime
View raw message