velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Dekany <ddek...@freemail.hu>
Subject Re: user-written templates / reflection safety
Date Fri, 07 Oct 2005 19:42:13 GMT
Friday, October 7, 2005, 8:11:02 PM, Will Glass-Husain wrote:

> Hi,
>
> (pls change the subject line when you change topic - thanks!)
>
> Just as a quick side note... I have hundreds of users writing their Velocity
> own templates and uploading them to my system.  You need a custom
> uberspector to prevent evil reflection (this will be standard in v1.6).  I
> am also cautious about what objects and methods are in the context (users do
> not have control of this).  Infinite loops are not possible with the
> #foreach directive.

When I said "practically infinite loop" then I meant something like:

#foreach( $a in [1..9999999] )
#foreach( $b in [1..9999999] )
#foreach( $c in [1..9999999] )
#foreach( $d in [1..9999999] )
#foreach( $e in [1..9999999] )
#foreach( $f in [1..9999999] )
#foreach( $g in [1..9999999] )
  Mmmmmuhahahaha!
#end
#end
#end
#end
#end
#end
#end

I would think it's a problem.

> Finally, I use a Java security policy file for extra
> protection.
>
> See this essay for some more thoughts on this matter.
> http://wiki.apache.org/jakarta-velocity/BuildingSecureWebApplications
>
> WILL

-- 
Best regards,
 Daniel Dekany


---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org


Mime
View raw message