velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Serge Knystautas <>
Subject Re: security audit
Date Mon, 02 Jun 2003 19:44:15 GMT
Attila Szegedi wrote:
>>As an example of a service provider, we have selected velocity as the
>>templating engine because of the ease that it integrates with our Java
>>architecture (mainly over PHP).  I'd rather not get into sandboxing
>>since we are not exposing Java or any true programming capabilities...
> Or you just don't know about it... By default, you can take any object in
> the context and write things like
> #set clazz =
> $obj.class.classLoader.loadClass("")
> $clazz..newInstance().doSomethingUnwanted()

Yeah, exactly... we are a service provider who does not host servlets 
nor do sandboxing, but we do host velocity templates.  So, given us as 
an example of a service provider who wants to offering just a secure 
scripting language, I'm just saying we would prefer to turn on an 
optional feature to make Velocity more secure rather than building the 
sandboxing ourselves.

Serge Knystautas
Lokitech >> software . strategy . design >>
p. 301.656.5501

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message