velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Revusky <>
Subject Re: template encodings
Date Tue, 17 Jul 2001 17:11:56 GMT
Jon Stevens wrote:
> on 7/16/01 5:48 PM, "Jonathan Revusky" <> wrote:
> > The security issues don't matter if somebody is just trying to get
> > Hello, World to work.
> Now that is funny.
> That is like saying that all Unix boxes should come with a root user with a
> well known password.

I shouldn't rise to this, but that comparison is ridiculous!

Password-protected root access is specifically one of the various layers
of security that a unix OS provides.

There are various other layers as well, in terms of the priveleges of
various users, etcetera. Java itself, via the
ClassLoader/SecurityManager API's, has very fine-grained security
options on top of this.

Velocity, OTOH, is a template processing engine. It exists to process
templates. It is not part of the various layers of security. If you give
it an absolute path and and the file is present and readable, AFAICS, it
should process it, because this is not code that is operating at a level
where it should second-guess whether somebody really should be allowed
to read a file.

Is there any more reason for Velocity, in its default configuration, to
refuse to process a template file passed in via an absolute filename
than, say, for an XML parsing API to refuse to parse a file passed in
via an absolute path? Because of security reasons??!!

Really, you know, in the above, you are writing something pretty STUPID,
making a STUPID analogy in an aborted, childish attempt to make *me*
look stupid.

> -jon

Jonathan Revusky
available for Java/Delphi/Internet consulting
If you want to...
- make your .class files double-clickable with SmartJ
- do Delphi/Java mixed programming with easy-to-use JNI wrapper classes
- build robust web applications with the Niggle Application Framework
check out the Revusky Hacks Page:

View raw message