velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Kebinger <jkebin...@gmail.com>
Subject Re: user-written templates / reflection safety
Date Sat, 08 Oct 2005 18:31:19 GMT
So what do you want? A limit on how big one's loop variable can be? You
can't prevent every action by a completely pathological user other than by
not letting them upload arbitrary scripts.

On 10/7/05, Daniel Dekany <ddekany@freemail.hu> wrote:
>
> Friday, October 7, 2005, 8:11:02 PM, Will Glass-Husain wrote:
>
> > Hi,
> >
> > (pls change the subject line when you change topic - thanks!)
> >
> > Just as a quick side note... I have hundreds of users writing their
> Velocity
> > own templates and uploading them to my system. You need a custom
> > uberspector to prevent evil reflection (this will be standard in v1.6).
> I
> > am also cautious about what objects and methods are in the context
> (users do
> > not have control of this). Infinite loops are not possible with the
> > #foreach directive.
>
> When I said "practically infinite loop" then I meant something like:
>
> #foreach( $a in [1..9999999] )
> #foreach( $b in [1..9999999] )
> #foreach( $c in [1..9999999] )
> #foreach( $d in [1..9999999] )
> #foreach( $e in [1..9999999] )
> #foreach( $f in [1..9999999] )
> #foreach( $g in [1..9999999] )
> Mmmmmuhahahaha!
> #end
> #end
> #end
> #end
> #end
> #end
> #end
>
> I would think it's a problem.
>
> > Finally, I use a Java security policy file for extra
> > protection.
> >
> > See this essay for some more thoughts on this matter.
> > http://wiki.apache.org/jakarta-velocity/BuildingSecureWebApplications
> >
> > WILL
>
> --
> Best regards,
> Daniel Dekany
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message