velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nathan Bubna" <nbu...@gmail.com>
Subject Re: using Velocity in an untrusted environment
Date Tue, 04 Apr 2006 18:59:42 GMT
http://wiki.apache.org/jakarta-velocity/BuildingSecureWebApplications

On 4/4/06, Ben <benjamin@pcguy.org> wrote:
> Hi all,
>
> I am thinking of using Velocity engine in an e-commerce platform, where the
> users will be able to upload their own templates to customize the layout of
> their store. I've read somewhere that Velocity has a built in security flaw,
> where peole could do things like AnyClass.getClassLoader() and use that to
> load any java class and basically do anything they want. I've also read
> about a patch being developed to address this issue which is scheduled to be
> integrated into Velocity version 1.6
>
> I'm wondering, when is that version of velocity scheduled to come out, and
> are there any other security related issues i should watch out for in my
> scenario, where basically people who upload templates are untrusted users.
>
> Also, does velocity have a built in timeout feature, where for example if
> any template takes more than 5 seconds to render, I'll be able to interrupt
> the rendering process? This feature is also important to me, as I don't want
> any single user to tie up all system resources.
>
> Thanks,
> Ben
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org


Mime
View raw message