velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Dekany <>
Subject Re: user-written templates / reflection safety
Date Sun, 09 Oct 2005 13:09:37 GMT
Sunday, October 9, 2005, 11:15:19 AM, Henning P. Schmiedehausen wrote:

> Jason Pettiss <> writes:
>>I agree with you, writing a language to guard against truly malicious 
>>behavior only penalizes the rest of us.  But let's say you're a hosting
>>provider and you let people upload the scripts as part of their personal
>>hosting and you provide them all the APIs which you think are 'safe' and
>>will not be time consuming.  Then the question is-- what could you do to
>>keep them from hosing your server?
> You would do what everyone that was ever involved with that kind of
> shared hosting environment does: Limit the maximum run time of a
> script. Like httpd does.
> But counting iterations on a loop is IMHO not the right thing to do.

I agree, but how to limit the maximum runtime? One could start a thread
for template executing and then stop it, but stopping threads is not
safe (and thus is deprecated).

> However, if you start optimizing an application to some border cases
> (and IMHO having shared environments that allow potential malicious
> users to upload templates is not actually a very common use case), you
> must make sure that you neither penalize "regular" use cases nor go
> overboard in what you restrict the regular use cases.
> From this comes reluctance to implement "feature of the day" that
> might have popped up on a list somewhere. I understand that this is
> often perceived as "developers not listening to users".

(I don't remember that there where anything like that said about this
particular issue...)

Best regards,
 Daniel Dekany

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message