velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anders Lindback <and...@igiro.se>
Subject Re: VelocityViewServlet and velocity.properties
Date Thu, 03 Oct 2002 10:21:02 GMT
Martin Jacobson skrev:
> Anders Lindback wrote:
> 
> > Iain Young skrev:
> > 
> >>Hi Gabe,
> >>
> >>
> >>>all templates are read relative to the root of the web app. There is
> >>>currently no way to configure the resource loader differently in
> >>>velocity.properties. That is maybe something we should add??
> >>>
> >>I think that would be a very useful addition as it's very messy having all
> >>of the vm files in the webapp root (the only place where the current vvs
> >>will pick them up from), especially as the project I'm working on is likely
> >>to have a great number of template files. I guess that alternative paths
> >>could be specified in velocity.properties in the same way as the other
> >>resource loaders (i.e similar settings to the file loader), and the vvs
> >>could read them from there?
> >>
> > 
> > It's a security problem to store the templates files in the webbapp root directory.
> > Therefore everyone should create their own servlet anyway. 
> > 
> > Really wish that it's changed so that the servlet shipped are expecting
> > that templates are hidden in a webbapps subdir to WEB-INF for exmple
> > web-INF/templates instad as it is now. 
> > 
> > All webbapps based on todays VelocityServlet are most probably a security hole.
> > 
> 
> 
> All my VelocityServlets contain the following:
> 
> protected Properties loadConfiguration(ServletConfig config )
>       throws IOException, FileNotFoundException
> {
> 	Properties p = new Properties();
> 
> 	String path = config.getServletContext().getRealPath("/");
> 
> 	if (path == null)
> 	{
> 		path = "/";

This can lead to problems change it to:

                path = "";

or maybe set it to "/tmp" to make it safer.
    
> 	}
> 
> 	p.setProperty( Velocity.FILE_RESOURCE_LOADER_PATH,  path + "/web/" );

If the path was empy the loader path will become "//web/" which may
not be your intention.  Some filesystems might give special meaning to "//"

Strongly suggest you change it to:

       p.setProperty( Velocity.FILE_RESOURCE_LOADER_PATH,  path + "/WEB-INF/web/" );


> 	p.setProperty( "runtime.log", path + "/velocity.log" );
> 
>     return p;
> }
> 
> Thus, all my .vm files are in <tomcat_path>/webapps/<myApp>/web/

Any user can see your templates by checking out /web/ in your
webbapp - if you really intended for them to be able to see the templates
then you are OK - but I strongly doubt that. 

You have a potential security problem. You need to move them to under the 
WEB-INF directory - which is the only directory hidden from surfers.

Suggest you fix the two problems I found with all your webbapps. 



--
To unsubscribe, e-mail:   <mailto:velocity-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:velocity-user-help@jakarta.apache.org>


Mime
View raw message