velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tal Dayan" <>
Subject RE: template encodings
Date Thu, 19 Jul 2001 02:36:49 GMT
Is it true that this would be a security hole only when the users
(the ones at the browsers, not the programmers or the designers)
can specify a path to a template ?

We are using velocity from and application that uses few hard coded
template names. Is it still a security risk ?

Also, to solve the first-time-use-out-of-the-box-experience, a detailed
message that specifies that the template was not found at x, y, z
and how the path can be changed may be useful.



> -----Original Message-----
> From: Jon Stevens []
> Sent: Monday, July 16, 2001 12:54 PM
> To: velocity-user
> Subject: Re: template encodings
> on 7/15/01 5:09 PM, "Jonathan Revusky" <> wrote:
> > Somebody else pointed out that if you
> > specifically give an absolute location for the template file, it doesn't
> > work, i.e. some naive user who tries:
> > getTemplate("C:\\mytemplates\\mytemplate.html"). Well, that's basically
> > a bug. The default code should have the smarts that if you give it an
> > absolute path AND the file is there and readable, it should use it. To
> > have any other behavior is to willfully waste people's time.
> No, it is a security hole.
> You don't want some random user to be able to access something like
> /etc/passwd or /etc/shadow.
> Setting a base template path is necessary. Then everything to access the
> file is relative to that path and you don't have to worry about people
> randomly reading files from that path.
> Go read the bugtraq archives. You will see literally hundreds of security
> holes as a result of what you describe.
> This is a very common mistake by newbie software engineers.
> Lastly, it is entirely possible within Velocity for you to come
> up with your
> own ResourceLoader. So, if you don't like the one that comes with
> Velocity,
> then make your own! However, we will not be shipping a product with known
> security holes in it.
> thanks.
> -jon

View raw message