velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henning P. Schmiedehausen" <>
Subject Re: user-written templates / reflection safety
Date Sun, 09 Oct 2005 09:15:19 GMT
Jason Pettiss <> writes:

>I agree with you, writing a language to guard against truly malicious 
>behavior only penalizes the rest of us.  But let's say you're a hosting 
>provider and you let people upload the scripts as part of their personal 
>hosting and you provide them all the APIs which you think are 'safe' and 
>will not be time consuming.  Then the question is-- what could you do to 
>keep them from hosing your server?

You would do what everyone that was ever involved with that kind of
shared hosting environment does: Limit the maximum run time of a
script. Like httpd does.

But counting iterations on a loop is IMHO not the right thing to do.

However, if you start optimizing an application to some border cases
(and IMHO having shared environments that allow potential malicious
users to upload templates is not actually a very common use case), you
must make sure that you neither penalize "regular" use cases nor go
overboard in what you restrict the regular use cases.

>From this comes reluctance to implement "feature of the day" that
might have popped up on a list somewhere. I understand that this is
often perceived as "developers not listening to users".

	Best regards

Dipl.-Inf. (Univ.) Henning P. Schmiedehausen          INTERMETA GmbH        +49 9131 50 654 0

RedHat Certified Engineer -- Jakarta Turbine Development  -- hero for hire
   Linux, Java, perl, Solaris -- Consulting, Training, Development

		      4 - 8 - 15 - 16 - 23 - 42

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message