velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben <>
Subject using Velocity in an untrusted environment
Date Tue, 04 Apr 2006 18:49:15 GMT
Hi all,

I am thinking of using Velocity engine in an e-commerce platform, where the 
users will be able to upload their own templates to customize the layout of 
their store. I've read somewhere that Velocity has a built in security flaw, 
where peole could do things like AnyClass.getClassLoader() and use that to 
load any java class and basically do anything they want. I've also read 
about a patch being developed to address this issue which is scheduled to be 
integrated into Velocity version 1.6

I'm wondering, when is that version of velocity scheduled to come out, and 
are there any other security related issues i should watch out for in my 
scenario, where basically people who upload templates are untrusted users.

Also, does velocity have a built in timeout feature, where for example if 
any template takes more than 5 seconds to render, I'll be able to interrupt 
the rendering process? This feature is also important to me, as I don't want 
any single user to tie up all system resources.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message