velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henning P. Schmiedehausen" <>
Subject Re: user-written templates / reflection safety
Date Sun, 09 Oct 2005 09:17:05 GMT
"Will Glass-Husain" <> writes:

>We host sensitive corporate information, so I'm most concerned about people
>accessing confidential data (or messing with server files).  Preventing
>reflection and changing the behavior of #include / #parse should be
>effective.  Preventing a DOS attack is harder.  I think our volume of users
>is low enough that when our "server-in-trouble" pager goes off I'd just kill
>the offender's account.  But practically speaking I don't expect this ever 
>to happen.

Don't think "malicious". Think "stupid". Everyone of us has at some
point programmed endless loops in programs. While it is hard in
Velocity, it is not impossible. :-)

Limiting the runtime of a template is a possible option.

	Best regards

Dipl.-Inf. (Univ.) Henning P. Schmiedehausen          INTERMETA GmbH        +49 9131 50 654 0

RedHat Certified Engineer -- Jakarta Turbine Development  -- hero for hire
   Linux, Java, perl, Solaris -- Consulting, Training, Development

		      4 - 8 - 15 - 16 - 23 - 42

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message