velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Revusky <jrevu...@terra.es>
Subject Re: template encodings
Date Tue, 17 Jul 2001 00:48:41 GMT
"Geir Magnusson Jr." wrote:

I AM SICK AND TIRED OF THIS! ALL I AM SAYING IS SOMETHING REALLY REALLY
SIMPLE!!!!

JOE NEWBIE WILL ALMOST INEVITABLY AT SOME POINT WHEN MUCKING WITH
VELOCITY FOR THE FIRST TIME, WRITE CODE LIKE THIS:

mytemplate = Velocity.getTemplate("C:\\mypath\\myLittleTemplate");

JOE NEWBIE WILL BE CONFUSED WHEN THIS DOESN'T WORK!

IT WOULD BE BETTER IF THIS DID WORK IN THE DEFAULT OUT-OF-THE-BOX
CONFIGURATION!

The security issues don't matter if somebody is just trying to get
Hello, World to work.
IMHO, the out-of-the-box configuration should be extremely oriented
towards getting things to work for Joe Newbie.


> 
> Jonathan Revusky wrote:
> >
> > "Geir Magnusson Jr." wrote:
> > >
> > > Jonathan Revusky wrote:
> > > >
> > > >
> > > > I don't care that much really. I do agree that the use of absolute paths
> > > > should be discouraged. I'm not sure that I can take the security hole
> > > > argument that seriously, because I think it's pretty tenuous. As long
as
> > > > you don't put the raw templates somewhere that's visible to the outside
> > > > world, I don't for the life of me see the issue. It's just that the
> > > > approved pattern is surely to specify resources relative to the insides
> > > > of a .war file. So these things should be loaded relative to the
> > > > classloader classpath.
> > >
> > > I was really trying to stay out of this hoping you would run out of
> > > steam on this, but I can't resist here.
> > >
> > > The core Velocity resource loaders have *no* notion of the concept of
> > > running in a servlet engine, let alone a WAR file.  Velocity is general
> > > purpose, not made for the web.  Therefore, the configuration assuptions
> > > MUST be general.  This is why I say that while '.' isn't perfect, "/"
> > > isn't either, because somone somewhere will not like the choice made.
> >
> > Well, you do seem argumentative, Geir. You certainly *can* make loading
> > from the classpath the default behavior whether you have a servlet or
> > not. (Meanwhile, in practice, 99% of your user base is using Velocity
> > for servlets probably...) But for better or for worse, stand-alone java
> > apps also have a classpath. I mean, it's like there's this argumentative
> > compulsion to imply that I'm just not getting it somehow...
> 
> I admit I had lustful zeal for argument in my younger days, mostly on
> alt.fan.bill-gates, but no more.

Gee, now, I'm curious, when you mention your younger days. Well,
personally, I'm 36. I mean, how old are you? I'm guessing
mid-twenties... I don't get a sense of great perspective and maturity...
I sense good will, that you're not a bad guy and all, but I sense a
large amount of immaturity...

> 
> At this point, you are starting to change what I am apparently being
> argumentative about.
> 
> You are right. You *can* make loading from the classpath the default
> behavior, however files are the most common way people do it 'out of the
> box' and don't want/need to diddle with the classpath.
> 
> Read what you wrote above.  You blew off David's argument by making a
> statement entirely in conflict with your fundamental assertion driving
> this thread.   I follwed up nothing that Velocity isn't web specific -
> and I should have added that there is no 'approved pattern' in general.
> Yes, there is an approved pattern for the web, and yes that's the
> majority of users, but it is still general purpose.
> 
> Your fundamental assertion, as I understand it, is that any template
> request specified from the root of the filesystem should be honored by
> default.

My fundamental assertion is restated all in caps at the very top of this
message.

<SIGH>

> 
> However, you then said
> 
> "As long as you don't put the raw templates somewhere that's visible to
> the outside world, I don't for the life of me see the issue."
> 
> If any file on the file system is accessable, then raw templates,
> password files, mail lists, credit card numbers, database files, are all
> possibly visible to the outside world.

Only if somebody writes explicitly in the code:

Velocity.getTemplate("/the/path/to/theFileWithCreditCardInfo");

AND if the file is readable by your servlet server process, which means
that somebody did a brain fart!

In any case, I am not talking about deployment on a server with
sensitive info. One should be careful about what the various policies
are when you finally deploy in a production environment. 

I am talking about JOE NEWBIE GETTING HELLO, WORLD WORKING!!!

> 
> You then followed it with
> 
> "It's just that the approved pattern is surely to specify resources
> relative to the insides of a .war file."
> 
> in which case your fundamental assertion is again in conflict, because
> thats not the root of the filesystem either.
> 
> Further, to load from the root of war, you either need to configure the
> FileResourceLoader correctly (which servlet_example2) does, or use a
> loader like the ClasspathResourceLoader within which the 'root of the
> filesystem' is a meaningless concept.
> 
> > (You don't know me, I know, but I really am a very strong java
> > developer, you know... I do understand this stuff! :-))
> 
> I have never once publicly questioned your competence.  That isn't
> really germaine to the discussion.

Look, I have said that you're not a bad guy, and I have said that I
overreacted yesterday. I'm sorry about that. But OTOH, I probably will
never ever try to *tell* you anything in the future. I will probably
never make a comment of any sort about any of your work ever again. It's
too much bother! In all likelihood, I will unsubscribe from this list
shortly!

> 
> geir
> 
> --
> Geir Magnusson Jr.                           geirm@optonline.net
> System and Software Consulting
> Developing for the web?  See http://jakarta.apache.org/velocity/
> You have a genius for suggesting things I've come a cropper with!

 
Jonathan Revusky
--
available for Java/Delphi/Internet consulting
If you want to...
- make your .class files double-clickable with SmartJ
- do Delphi/Java mixed programming with easy-to-use JNI wrapper classes
- build robust web applications with the Niggle Application Framework
then...
check out the Revusky Hacks Page: http://www.revusky.com/hacks/

Mime
View raw message