velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nathan Bubna" <nbu...@gmail.com>
Subject Re: using Velocity in an untrusted environment
Date Wed, 05 Apr 2006 20:48:03 GMT
Well, this is really more Will's area of expertise.  I have the luxury
of not letting users of my apps define their own templates.  So, i've
not had any need to use a JavaSecurityManager.

The language in the article is a little unclear.  Version 1.6 has not
started development yet.  We are still tweaking 1.5 in our
collectively scarce free time.  It's more that the patch in question
has been put on the roadmap for 1.6.

In the meantime, the info and references in
http://issues.apache.org/jira/browse/VELOCITY-179 should provide a
number of options for restricting classloader use in your user's
templates.

As far as interrupting template processing...  i've been in this
community for about five years and i can't recall anyone else ever
asking for or needing this.  so, no, this is supported nor is it
scheduled to be.    i can't imagine that it would be difficult to
implement using Threads.  if you come up with something useful here,
you might consider sharing it with the community. :)

On 4/5/06, Ben <benjamin@pcguy.org> wrote:
> Thanks, that is the page i read about this problem from before. It has a
> link to http://issues.apache.org/jira/browse/VELOCITY-179 which has the
> classloader patch. It aslo says the proposed patch has been accepted for
> velocity version 1.6, hence my question about the scheduled release date of
> that version.
>
> Also didn't see anywhere in that article about the ability to interrupt the
> rendering process after let's say 5 seconds so that a single user doesn't
> take up all resources on the server. Is that something which velocity
> currently supports/is cheduled to be supported in some future version, or do
> i have to built in that feature in my application, and if yes, can you
> please suggest the best route to do this? Is there an interrupt method in
> velocity which i can call after 5 sec, let's say, which will interrupt the
> rendering process?
>
> Thanks,
> Ben
>
> ----- Original Message -----
> From: "Nathan Bubna" <nbubna@gmail.com>
> To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> Sent: Tuesday, April 04, 2006 2:59 PM
> Subject: Re: using Velocity in an untrusted environment
>
>
> http://wiki.apache.org/jakarta-velocity/BuildingSecureWebApplications
>
> On 4/4/06, Ben <benjamin@pcguy.org> wrote:
> > Hi all,
> >
> > I am thinking of using Velocity engine in an e-commerce platform, where
> > the
> > users will be able to upload their own templates to customize the layout
> > of
> > their store. I've read somewhere that Velocity has a built in security
> > flaw,
> > where peole could do things like AnyClass.getClassLoader() and use that to
> > load any java class and basically do anything they want. I've also read
> > about a patch being developed to address this issue which is scheduled to
> > be
> > integrated into Velocity version 1.6
> >
> > I'm wondering, when is that version of velocity scheduled to come out, and
> > are there any other security related issues i should watch out for in my
> > scenario, where basically people who upload templates are untrusted users.
> >
> > Also, does velocity have a built in timeout feature, where for example if
> > any template takes more than 5 seconds to render, I'll be able to
> > interrupt
> > the rendering process? This feature is also important to me, as I don't
> > want
> > any single user to tie up all system resources.
> >
> > Thanks,
> > Ben
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org


Mime
View raw message