velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bojan Smojver <bo...@rexursive.com>
Subject Re: Velocity (was RE: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability)
Date Thu, 26 Sep 2002 21:25:29 GMT
I have promised not to use Tomcat-Dev for this, so I'm answering
privately and I'm sending a CC to Velocity-User list, where it belongs.

That's an excellent point and is exactly what I'm talking about. Again,
who creates the context object? The programmers, NOT the web designers.

As for YATL, anyone with half a brain and one afternoon can learn
Velocity. JSP is a completely different story because it's Java.

On the topic of programming in Velocity. Well, I've seen some really
complicated code out there. And you know what, it's all crap. The code
beyond simple if's and foreach directives should not be in any template
but rather in the controller or the model, written in Java, by the
programmers. If programmers are forcing designers to write complicated
Velocity constructs or are doing it themselves, they are asking for
trouble.

Bojan

On Fri, 2002-09-27 at 00:23, Dennis Doubleday wrote:
> Bojan,
> 
> Just move the code you wrote into a context object, reference it and
> poof! Velocity gets OutOfMemory, too. Bad code is limited to front ends.
> 
> Velocity is nice. It is an excellent project, and Geir is possibly the
> most responsive and helpful project leader I have ever encountered.
> 
> But there IS programming in a Velocity page--it's just in Yet Another
> Templating Language, one that both your developers and your web
> designers have to learn. That creates opportunities for confusion.
> (Especially where velocimacros are involved.) 
> 
> > -----Original Message-----
> > From: Bojan Smojver [mailto:bojan@rexursive.com] 
> > Sent: Wednesday, September 25, 2002 10:34 PM
> > To: Tomcat Developers List
> > Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source 
> > disclosure vulnerability
> > 
> > 
> > Not if:
> > 
> > runtime.interpolate.string.literals = false
> > 
> > Bojan
> > 
> > Quoting Tim Funk <funkman@joedog.org>:
> > 
> > > That's what code reviews are for and in absence of that - 
> > firing your
> > > developers.
> > > 
> > > Wouldn't I also get an out of memory with this in Velocity?
> > > 
> > > #set($oom = 
> > "0000000000000000000000000000000000000000000000000000" ) 
> > > #foreach( $i in [-2147483648..2147483648] ) #set($oom = 
> > > "$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom" ) #end
> > > 
> > > Bad code can kill ANY system for the determined(disgruntled) 
> > > developer.
> > > 
> > > 
> > > Bojan Smojver wrote:
> > > > All right then, let's talk about JSP's. If I host my 
> > clients' JSP's 
> > > > on my
> > > server
> > > > and a web designer puts this in (BTW, he wasn't forced, he simply 
> > > > decided
> > > he
> > > > wanted to do it):
> > > > 
> > > > -----------------------------------------------
> > > >     Hashtable strings = new Hashtable();
> > > >     int i=0;
> > > >     while (true)
> > > >     {
> > > >         strings.put ("dead"+i, new StringBuffer(999999));
> > > >     }
> > > > -----------------------------------------------
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
> 



--
To unsubscribe, e-mail:   <mailto:velocity-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:velocity-user-help@jakarta.apache.org>


Mime
View raw message