velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henning P. Schmiedehausen" <...@intermeta.de>
Subject Re: user-written templates / reflection safety
Date Sun, 09 Oct 2005 09:17:05 GMT
"Will Glass-Husain" <wglass@forio.com> writes:

>We host sensitive corporate information, so I'm most concerned about people
>accessing confidential data (or messing with server files).  Preventing
>reflection and changing the behavior of #include / #parse should be
>effective.  Preventing a DOS attack is harder.  I think our volume of users
>is low enough that when our "server-in-trouble" pager goes off I'd just kill
>the offender's account.  But practically speaking I don't expect this ever 
>to happen.

Don't think "malicious". Think "stupid". Everyone of us has at some
point programmed endless loops in programs. While it is hard in
Velocity, it is not impossible. :-)

Limiting the runtime of a template is a possible option.

	Best regards
		Henning

-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen          INTERMETA GmbH
hps@intermeta.de        +49 9131 50 654 0   http://www.intermeta.de/

RedHat Certified Engineer -- Jakarta Turbine Development  -- hero for hire
   Linux, Java, perl, Solaris -- Consulting, Training, Development

		      4 - 8 - 15 - 16 - 23 - 42

---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org


Mime
View raw message