velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nathan Bubna" <>
Subject Re: using Velocity in an untrusted environment
Date Tue, 04 Apr 2006 18:59:42 GMT

On 4/4/06, Ben <> wrote:
> Hi all,
> I am thinking of using Velocity engine in an e-commerce platform, where the
> users will be able to upload their own templates to customize the layout of
> their store. I've read somewhere that Velocity has a built in security flaw,
> where peole could do things like AnyClass.getClassLoader() and use that to
> load any java class and basically do anything they want. I've also read
> about a patch being developed to address this issue which is scheduled to be
> integrated into Velocity version 1.6
> I'm wondering, when is that version of velocity scheduled to come out, and
> are there any other security related issues i should watch out for in my
> scenario, where basically people who upload templates are untrusted users.
> Also, does velocity have a built in timeout feature, where for example if
> any template takes more than 5 seconds to render, I'll be able to interrupt
> the rendering process? This feature is also important to me, as I don't want
> any single user to tie up all system resources.
> Thanks,
> Ben
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message