velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jon Stevens <...@latchkey.com>
Subject Re: template encodings
Date Mon, 16 Jul 2001 19:54:12 GMT
on 7/15/01 5:09 PM, "Jonathan Revusky" <jrevusky@terra.es> wrote:

> Somebody else pointed out that if you
> specifically give an absolute location for the template file, it doesn't
> work, i.e. some naive user who tries:
> getTemplate("C:\\mytemplates\\mytemplate.html"). Well, that's basically
> a bug. The default code should have the smarts that if you give it an
> absolute path AND the file is there and readable, it should use it. To
> have any other behavior is to willfully waste people's time.

No, it is a security hole.

You don't want some random user to be able to access something like
/etc/passwd or /etc/shadow.

Setting a base template path is necessary. Then everything to access the
file is relative to that path and you don't have to worry about people
randomly reading files from that path.

Go read the bugtraq archives. You will see literally hundreds of security
holes as a result of what you describe.

This is a very common mistake by newbie software engineers.

Lastly, it is entirely possible within Velocity for you to come up with your
own ResourceLoader. So, if you don't like the one that comes with Velocity,
then make your own! However, we will not be shipping a product with known
security holes in it.

thanks.

-jon


Mime
View raw message