velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Will Glass-Husain" <>
Subject Re: security audit
Date Thu, 29 May 2003 17:07:31 GMT

Thanks for your detailed and helpful set of thoughts.  Good point about wrapping context objects
and avoiding the VelocityServlet.  (I'm actually using my own servlet, but have a bit of legacy
code copied over from the VS).

If it wasn't clear in my last email, this was a list of security issues I encountered in *my
application*, and the solutions I plan on taking.  (not a laundry list of problems with Velocity,
which -- with a few reservations-- I think is a great tool).  Obviously, the security and
integrity of an application is wholly the responsibility of the developer and sysadmin.

I post these issues (which may or may not be applicable to others) to ask for ideas on other
risks, and to help people think through risks with their own Velocity-based web applications.
 For example, although the Torque issue is not a "velocity" issue, it definitely was a potential
exploit for my app.  It was a bit of a shock to realize that my system allowed any template
writer to use a reference to do arbitrary SQL calls.  A caution to other Velocity developers--
be sure that you know what is in your context and that you are comfortable with all the methods
that are exposed.

By the way, the biggest risk-reduction technique would be to only allow a small trusted set
of people to write templates.  But in my application, hundreds of people write templates,
so I'm trying to make this a safe environment.  If anyone has other ideas, please let me know.



Forio Business Simulations
Will Glass-Husain
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message