velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Attila Szegedi" <>
Subject Re: security audit
Date Fri, 30 May 2003 20:34:17 GMT
Actually, calling wait() on an object is more likely to cause
IllegalStateException except if the template author somehow manages to first
cause the thread to enter the object's monitor (that is, synchronize on it).
But if it does, then blocking a thread indefinitely is a very good way to
mount a DOS attack - every new request will block another thread, eventually
exhausting either a limited thread pool, or ultimately the system resources.


----- Original Message -----
From: "Will Glass-Husain" <>
To: <>
Sent: Friday, May 30, 2003 8:09 PM
Subject: Re: security audit

> Attila,
> Thanks for the list of methods, that was very helpful.  This is perhaps a
> bit overly technical for the user list, but a quick question nonetheless.
> The patch I submitted for Velocity blocks at the class level, not the
> level.  It includes all the methods you listed except for Object.wait and
> Object.notify.   My take is that those aren't as much of a risk, as all
> would happen by calling wait/notify is the current thread (e.g. the web
> being loaded) would be blocked-- no other system functions would be
> affected.  Does this seem reasonable from your viewpoint?
> Attila:
> Actually, I have already went through the Java API and identified those
> methods that shouldn't be allowed to be called from a template. The list
> used in FreeMarker to restrict calls to methods at its default security
> level (FreeMarker actually has security levels for accessing methods...)
> _______________________________________
> Forio Business Simulations
> Will Glass-Husain
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message