velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Geir Magnusson Jr." <ge...@optonline.net>
Subject Re: template encodings
Date Thu, 19 Jul 2001 03:05:15 GMT
No mas :)

Tal Dayan wrote:
> 
> Is it true that this would be a security hole only when the users
> (the ones at the browsers, not the programmers or the designers)
> can specify a path to a template ?

I wouldn't say only - that requires a precience that I personally don't
have.  I would assume that there are other ways, not intended, for it to
happen.
 
> We are using velocity from and application that uses few hard coded
> template names. Is it still a security risk ?

Generally not.  However, I assume that you are also specifying the
sources for the templates?

> Also, to solve the first-time-use-out-of-the-box-experience, a detailed
> message that specifies that the template was not found at x, y, z
> and how the path can be changed may be useful.

It's possible.  The only issue is balancing that versus keeping crap out
of the logs, which can be dealt with using switches, I suppose.   So
here's a question - how many apps do a search/fail approach?  For
example, I have seen uses where the app walks down/up a tree finding the
first place a template lives, so you can layer a base template set
underneath customized pieces...  those kinds of users wouldn't want the
blather, but its true that since they seem to be the minority, we can
make them shut it off....

geir

-- 
Geir Magnusson Jr.                           geirm@optonline.net
System and Software Consulting
Developing for the web?  See http://jakarta.apache.org/velocity/
You have a genius for suggesting things I've come a cropper with!

Mime
View raw message