velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Dekany <ddek...@freemail.hu>
Subject Re: user-written templates / reflection safety
Date Sun, 09 Oct 2005 13:09:37 GMT
Sunday, October 9, 2005, 11:15:19 AM, Henning P. Schmiedehausen wrote:

> Jason Pettiss <jason.pettiss@TheCatalis.com> writes:
>
>>I agree with you, writing a language to guard against truly malicious 
>>behavior only penalizes the rest of us.  But let's say you're a hosting
>>provider and you let people upload the scripts as part of their personal
>>hosting and you provide them all the APIs which you think are 'safe' and
>>will not be time consuming.  Then the question is-- what could you do to
>>keep them from hosing your server?
>
> You would do what everyone that was ever involved with that kind of
> shared hosting environment does: Limit the maximum run time of a
> script. Like httpd does.
>
> But counting iterations on a loop is IMHO not the right thing to do.

I agree, but how to limit the maximum runtime? One could start a thread
for template executing and then stop it, but stopping threads is not
safe (and thus is deprecated).

> However, if you start optimizing an application to some border cases
> (and IMHO having shared environments that allow potential malicious
> users to upload templates is not actually a very common use case), you
> must make sure that you neither penalize "regular" use cases nor go
> overboard in what you restrict the regular use cases.
>
> From this comes reluctance to implement "feature of the day" that
> might have popped up on a list somewhere. I understand that this is
> often perceived as "developers not listening to users".

(I don't remember that there where anything like that said about this
particular issue...)

-- 
Best regards,
 Daniel Dekany


---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org


Mime
View raw message