velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paulo Gaspar" <paulo.gas...@krankikom.de>
Subject RE: template encodings
Date Tue, 17 Jul 2001 17:31:51 GMT
> Really, you know, in the above, you are writing something pretty STUPID,
> making a STUPID analogy in an aborted, childish attempt to make *me*
> look stupid.

Jon always does that (I should know).
But I am not so sure on how aborted the  attempt was.

> I shouldn't rise to this ...

You are right on that one.


Couldn't resist 'cause I'm just human,
Paulo


> -----Original Message-----
> From: revusky@jr.revusky.com [mailto:revusky@jr.revusky.com]On Behalf Of
> Jonathan Revusky
> 
> 
> Jon Stevens wrote:
> > 
> > on 7/16/01 5:48 PM, "Jonathan Revusky" <jrevusky@terra.es> wrote:
> > 
> > > The security issues don't matter if somebody is just trying to get
> > > Hello, World to work.
> > 
> > Now that is funny.
> > 
> > That is like saying that all Unix boxes should come with a root 
> user with a
> > well known password.
> 
> I shouldn't rise to this, but that comparison is ridiculous!
> 
> Password-protected root access is specifically one of the various layers
> of security that a unix OS provides.
> 
> There are various other layers as well, in terms of the priveleges of
> various users, etcetera. Java itself, via the
> ClassLoader/SecurityManager API's, has very fine-grained security
> options on top of this.
> 
> Velocity, OTOH, is a template processing engine. It exists to process
> templates. It is not part of the various layers of security. If you give
> it an absolute path and and the file is present and readable, AFAICS, it
> should process it, because this is not code that is operating at a level
> where it should second-guess whether somebody really should be allowed
> to read a file.
> 
> Is there any more reason for Velocity, in its default configuration, to
> refuse to process a template file passed in via an absolute filename
> than, say, for an XML parsing API to refuse to parse a file passed in
> via an absolute path? Because of security reasons??!!
> 
> Really, you know, in the above, you are writing something pretty STUPID,
> making a STUPID analogy in an aborted, childish attempt to make *me*
> look stupid.
> 
> > 
> > -jon
> 
> -- 
> Jonathan Revusky


Mime
View raw message