velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henning P. Schmiedehausen" <...@intermeta.de>
Subject Restricting method invokation (was: Re: [ANN] Viento - WHY?)
Date Sat, 08 Oct 2005 08:21:15 GMT
Robert Koberg <rob@koberg.com> writes:

[ I process this thread now strictly read-only. If I find something
that is at least remotely Velocity related and want to write something
about it, I will change the subject. So there might at least get some
constructive work from this thread. :-) ]

>One thing that might make me think about switching has to do with 
>security. Can you do something like this is FM:

>#set ($classLoader = $request.getClass().getClassLoader())

AFAIK, some methods are either blocked or you can turn method blocking
on. There is a list of methods in
src/freemarker/ext/beans/unsafeMethods.txt which lists methods that
are considered dangerous. I might argue about some of them, but at
least the various getClassLoader() and Class.forName() are in there.

Adding security is a good idea and Will is talking about implementing
method invocation restrictions. ATM, FreeMarker has here more
functionality than Velocity. 

If we do this, we will try to do it in a way that there is no penalty
for users who does not need it (and be honest: How big is the
percentage of applications that actually allow 3rd party users to
upload templates to a web applications? Because that is the problem
domain. If you impose a penalty on method invocation on all
applications that use a templating engine, you will end up with a
slower solution because of the overhead).

Side note: Until Wills' talk about Hacking Velocity @ AC'04,
personally I had no idea that this is possible in Velocity. :-) But
then again I never had a case that users were allowed to upload
Templates to an application of mine.

	Best regards
		Henning

-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen          INTERMETA GmbH
hps@intermeta.de        +49 9131 50 654 0   http://www.intermeta.de/

RedHat Certified Engineer -- Jakarta Turbine Development  -- hero for hire
   Linux, Java, perl, Solaris -- Consulting, Training, Development

		      4 - 8 - 15 - 16 - 23 - 42

---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org


Mime
View raw message