velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Revusky <>
Subject Re: security audit
Date Mon, 02 Jun 2003 09:32:35 GMT wrote:
> Nathan Bubna wrote:
>> Will said:
> [snip]
>>> I believe this is a critical issue for Velocity web developers
>> only for those who can't trust their designers.  it's not as critical
>> for the rest of us.  that's not to say it needn't be addressed, just
>> don't be surprised if you fail to generate a sense of urgency on the
>> matter.
> I do think Will's point of view is reasonable. OTOH it will increase
> the popularity of velocity for service providers. Currently I see some
> SP allow PHP and other server-side scripting. If basic velocity can
> be configured with a designer-sandbox and be secure per-se it would
> be a win-only situation for velocity (with the proper propaganda)!

You mean a situation where the ISP allows Velocity tempaltes (with some 
default context defined) but does not allow java servlets?

After all, if they allow you to deploy servlets, then the point is moot, 
since Velocity cannot be more insecure than simply letting people run 
java code.


> Nope, service providers will not deploy velocity if it is not safe!

FWIW, it seems like a non-issue to me. A security-conscious ISP would 
only let java servlets run in a sandbox and the same security 
restrictions that apply to the servlets would apply to the Velocity (or 
FreeMarker or any other) templates that the servlet makes use of.


Jonathan Revusky
lead developer, FreeMarker project,
FreeMarker-Velocity comparison page:

FreeMarker 2.3pre2 released! (1 June 2003)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message