velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Jacobson <marti...@libero.it>
Subject Re: VelocityViewServlet and velocity.properties
Date Thu, 03 Oct 2002 14:15:55 GMT
Anders Lindback wrote:

>>	String path = config.getServletContext().getRealPath("/");
>>
>>	if (path == null)
>>	{
>>		path = "/";
>>
> 
> This can lead to problems change it to:
> 
>                 path = "";
> 
> or maybe set it to "/tmp" to make it safer.
>     
> 
>>	}
>>
>>	p.setProperty( Velocity.FILE_RESOURCE_LOADER_PATH,  path + "/web/" );
>>
> 
> If the path was empy the loader path will become "//web/" which may
> not be your intention.  Some filesystems might give special meaning to "//"
> 
> Strongly suggest you change it to:
> 
>        p.setProperty( Velocity.FILE_RESOURCE_LOADER_PATH,  path + "/WEB-INF/web/" );
> 
> 
> Any user can see your templates by checking out /web/ in your
> webbapp - if you really intended for them to be able to see the templates
> then you are OK - but I strongly doubt that. 
> 
> You have a potential security problem. You need to move them to under the 
> WEB-INF directory - which is the only directory hidden from surfers.
> 
> Suggest you fix the two problems I found with all your webbapps. 
> 


Thanks for the comments! I posted the sample code to illustrate that 
it's simple to place the .vm files almost anywhere you like.
In my defense [ :-) ] I'd like to say that for my application, there are 
no serious security implications: (i) it's an intranet app, hidden 
behind a firewall, (ii) you can't access ANYTHING on the site other than 
the home page without proper user authentication.

But your comments are valid, nonetheless.

Thanks,
Martin



--
To unsubscribe, e-mail:   <mailto:velocity-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:velocity-user-help@jakarta.apache.org>


Mime
View raw message