velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Dekany <ddek...@freemail.hu>
Subject Re: user-written templates / reflection safety
Date Sat, 08 Oct 2005 23:24:10 GMT
Saturday, October 8, 2005, 8:31:19 PM, James Kebinger wrote:

> So what do you want?

Nothing... I have just said that your site still will not be safe after
you have prevented the calling of arbitrary Java API methods from the
templates. There are other ways of attack.

> A limit on how big one's loop variable can be? You can't prevent every
> action by a completely pathological user other than by not letting
> them upload arbitrary scripts.

And that's what I said.

-- 
Best regards,
 Daniel Dekany

> On 10/7/05, Daniel Dekany <ddekany@freemail.hu> wrote:
>>
>> Friday, October 7, 2005, 8:11:02 PM, Will Glass-Husain wrote:
>>
>> > Hi,
>> >
>> > (pls change the subject line when you change topic - thanks!)
>> >
>> > Just as a quick side note... I have hundreds of users writing their
>> Velocity
>> > own templates and uploading them to my system. You need a custom
>> > uberspector to prevent evil reflection (this will be standard in v1.6).
>> I
>> > am also cautious about what objects and methods are in the context
>> (users do
>> > not have control of this). Infinite loops are not possible with the
>> > #foreach directive.
>>
>> When I said "practically infinite loop" then I meant something like:
>>
>> #foreach( $a in [1..9999999] )
>> #foreach( $b in [1..9999999] )
>> #foreach( $c in [1..9999999] )
>> #foreach( $d in [1..9999999] )
>> #foreach( $e in [1..9999999] )
>> #foreach( $f in [1..9999999] )
>> #foreach( $g in [1..9999999] )
>> Mmmmmuhahahaha!
>> #end
>> #end
>> #end
>> #end
>> #end
>> #end
>> #end
>>
>> I would think it's a problem.
>>
>> > Finally, I use a Java security policy file for extra
>> > protection.
>> >
>> > See this essay for some more thoughts on this matter.
>> >
>> http://wiki.apache.org/jakarta-velocity/BuildingSecureWebApplications
>> >
>> > WILL
>>
>> --
>> Best regards,
>> Daniel Dekany
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail:
>> velocity-user-help@jakarta.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org


Mime
View raw message