velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben <>
Subject Re: using Velocity in an untrusted environment
Date Wed, 05 Apr 2006 19:35:36 GMT
Thanks, that is the page i read about this problem from before. It has a 
link to which has the 
classloader patch. It aslo says the proposed patch has been accepted for 
velocity version 1.6, hence my question about the scheduled release date of 
that version.

Also didn't see anywhere in that article about the ability to interrupt the 
rendering process after let's say 5 seconds so that a single user doesn't 
take up all resources on the server. Is that something which velocity 
currently supports/is cheduled to be supported in some future version, or do 
i have to built in that feature in my application, and if yes, can you 
please suggest the best route to do this? Is there an interrupt method in 
velocity which i can call after 5 sec, let's say, which will interrupt the 
rendering process?


----- Original Message ----- 
From: "Nathan Bubna" <>
To: "Velocity Users List" <>
Sent: Tuesday, April 04, 2006 2:59 PM
Subject: Re: using Velocity in an untrusted environment

On 4/4/06, Ben <> wrote:
> Hi all,
> I am thinking of using Velocity engine in an e-commerce platform, where 
> the
> users will be able to upload their own templates to customize the layout 
> of
> their store. I've read somewhere that Velocity has a built in security 
> flaw,
> where peole could do things like AnyClass.getClassLoader() and use that to
> load any java class and basically do anything they want. I've also read
> about a patch being developed to address this issue which is scheduled to 
> be
> integrated into Velocity version 1.6
> I'm wondering, when is that version of velocity scheduled to come out, and
> are there any other security related issues i should watch out for in my
> scenario, where basically people who upload templates are untrusted users.
> Also, does velocity have a built in timeout feature, where for example if
> any template takes more than 5 seconds to render, I'll be able to 
> interrupt
> the rendering process? This feature is also important to me, as I don't 
> want
> any single user to tie up all system resources.
> Thanks,
> Ben
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message