velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Serge Knystautas <ser...@lokitech.com>
Subject Re: security audit
Date Mon, 02 Jun 2003 19:44:15 GMT
Attila Szegedi wrote:
>>As an example of a service provider, we have selected velocity as the
>>templating engine because of the ease that it integrates with our Java
>>architecture (mainly over PHP).  I'd rather not get into sandboxing
>>since we are not exposing Java or any true programming capabilities...
> 
> Or you just don't know about it... By default, you can take any object in
> the context and write things like
> 
> #set clazz =
> $obj.class.classLoader.loadClass("a.class.sp.dont.want.users.to.use")
> $clazz..newInstance().doSomethingUnwanted()

Yeah, exactly... we are a service provider who does not host servlets 
nor do sandboxing, but we do host velocity templates.  So, given us as 
an example of a service provider who wants to offering just a secure 
scripting language, I'm just saying we would prefer to turn on an 
optional feature to make Velocity more secure rather than building the 
sandboxing ourselves.

-- 
Serge Knystautas
President
Lokitech >> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com


---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org


Mime
View raw message