velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eelco Hillenius" <>
Subject Re: security audit
Date Thu, 29 May 2003 22:04:03 GMT
I must be one of the few people that do not have problems with this whole
issue. For me (as a Java developper) Velocity is just one of the tools I use
when programming, and I really like the fact that I have the same freedom/
power as with using regular Java. I do not know about you guys, but the
projects I worked on never had evil script kiddies trying to mess the system
up using Velocity templates. Besides, I really came back from the idea of
never using 'pull' (as it is dirty... see the problems that people like
Jason Hunter etc. have with JSP's) for webdevelopment. I've had many times
that I really just wanted to 'pull' some extra Java functionality to the
view (like doing some special formatting, or getting an object from the
model solely for viewing purposes). Without the ability to pull from the
view, my other code (control) would have been very messy.

But... as there are people that have (theoretical) problems with it, having
this configurable seems a good idea.


p.s: I can make a good guess what you think of Jakarta Jelly ;-)

----- Original Message ----- 
From: "Will Glass-Husain" <>
To: <>
Sent: Thursday, May 29, 2003 11:27 PM
Subject: Re: security audit

> Well said, Barbara.
> Yes, the ability to instantiate arbitrary classes and execute arbitrary
> methods has been a dirty little secret among the more technical Velocity
> developers.  Discussion has come up from time to time on the dev list
> I monitor) and several other places.  This capability arises from the fact
> the Velocity lets you call any public method on an object in the
> there's a chain of methods that you can call that will instantiate any
> class.
> So far, the Velocity committers seem to have ignored this issue.  I've
> patched my personal copy of Velocity, but I'm guessing most developers
> aren't even aware of the problem.
> Barbara:
> > Gee, I didn't know I could just call any public class I wanted from a
> > template.  I thought the designer was limited to what was in the
> > Anyway, I think that's the way it should be.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message