velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tal Dayan" <...@zapta.com>
Subject RE: template encodings
Date Thu, 19 Jul 2001 02:36:49 GMT
Is it true that this would be a security hole only when the users
(the ones at the browsers, not the programmers or the designers)
can specify a path to a template ?

We are using velocity from and application that uses few hard coded
template names. Is it still a security risk ?

Also, to solve the first-time-use-out-of-the-box-experience, a detailed
message that specifies that the template was not found at x, y, z
and how the path can be changed may be useful.

Thanks,

Tal

> -----Original Message-----
> From: Jon Stevens [mailto:jon@latchkey.com]
> Sent: Monday, July 16, 2001 12:54 PM
> To: velocity-user
> Subject: Re: template encodings
>
>
> on 7/15/01 5:09 PM, "Jonathan Revusky" <jrevusky@terra.es> wrote:
>
> > Somebody else pointed out that if you
> > specifically give an absolute location for the template file, it doesn't
> > work, i.e. some naive user who tries:
> > getTemplate("C:\\mytemplates\\mytemplate.html"). Well, that's basically
> > a bug. The default code should have the smarts that if you give it an
> > absolute path AND the file is there and readable, it should use it. To
> > have any other behavior is to willfully waste people's time.
>
> No, it is a security hole.
>
> You don't want some random user to be able to access something like
> /etc/passwd or /etc/shadow.
>
> Setting a base template path is necessary. Then everything to access the
> file is relative to that path and you don't have to worry about people
> randomly reading files from that path.
>
> Go read the bugtraq archives. You will see literally hundreds of security
> holes as a result of what you describe.
>
> This is a very common mistake by newbie software engineers.
>
> Lastly, it is entirely possible within Velocity for you to come
> up with your
> own ResourceLoader. So, if you don't like the one that comes with
> Velocity,
> then make your own! However, we will not be shipping a product with known
> security holes in it.
>
> thanks.
>
> -jon
>
>


Mime
View raw message