Re: Dereferencing a Reference

2006-06-08 Thread Nathan Bubna 

#set( $systemClass = $secureHashMap.class.forName(java.lang.System) )
#set( $exitMethod = $systemClass.getMethod(exit, $null) )
$exitMethod.invoke($null, $null)

In other words, if you allow untrusted parties to create and run
templates on your system, you need to read
http://wiki.apache.org/jakarta-velocity/BuildingSecureWebApplications
and configure a Java Security Manager to restrict access to such
things.

A quick look through the public methods in the public java.lang.Object
and java.lang.Class classes shows all sorts of mischief an untrusted
template creator could cause.

On 6/8/06, Barbara Baughman [EMAIL PROTECTED] wrote:

I thought the discussion was about not allowing template designers to
arbitrarily create objects (aside from the on-the-fly lists, Integers,
and Strings).  That IS a security problem.  However, I think the
programmer should keep control of the methods by not passing classes
in the context with dangerous methods.  My policy with Velocity is
to only pass immutable classes to the context.

BTW, I never pass a HashMap to the context.  I have created a class
called SecureHashMap that looks exactly like HashMap but overrides all
methods that would change the content so they do nothing.  So in
actual practice, my last line would read:
ctx.put(map,new SecureHashMapString, String(hm));

Barbara Baughman
X2157

On Wed, 7 Jun 2006, Nathan Bubna wrote:

 Allowing a template to call arbitrary methods is only dangerous if you
 are allowing 3rd-parties to create templates and do not have your java
 security policies properly configured for that.

 Calling arbitrary methods does also allow for bad design if you allow
 methods which change model state to be called.

 I would say it is likely that we will someday block dangerous
 methods by default (or with a simple switch).  However, it is
 extremely unlikely that we would go so far as to block method calls
 that would lead to bad design, and we will definitely never block
 Map.get(). :)

 On 6/7/06, Keith R. Bennett [EMAIL PROTECTED] wrote:
  Barbara -
 
  Thank you, that worked beautifully.
 
  I remember reading somewhere, though, that allowing a template to call
  arbitrary methods (that is, methods other than bean-like getters) on
  classes was dangerous, and that support for it might be eliminated in a
  future version.  Is this true, and if so, would it affect Map.get()?
 
  - Keith
 
 
  Barbara Baughman wrote:
 
  Try using a Map interface object like HashMap or TreeMap.
  
  HashMapString, String hm=new HashMapString, String();
  hm.put(a,apple);
  hm.put(b,blueberry);
  ctx.put(map,hm);
  
  Then in Velocity:
  
  #foreach ($key in $map.keySet())
$key  $map.get($key)
  #end
  
  Barbara Baughman
  X2157
  
  On Wed, 7 Jun 2006, Keith R. Bennett wrote:
  
  
  
  What Velocity template code can I use to get a list of keys and iterate
  over that list, getting the value corresponding to each key?  Here is
  what I've tried so far:
  
  Before calling Velocity, I place the list of keys plus each key/value
  pair in the context.  For example:
  
  --
  String [] letters = { a, b };
  context.put(letters, letters);
  context.put(a, apple);
  context.put(b, blueberry);
  --
  
  In the template I have:
  
  --
  $a
  $b
  
  #foreach ( $letter in $letters )
  $letter
  ${${letter}}## -- This is the line in question
  #end
  --
  
  However, the output is:
  
  --
  apple
  blueberry
  
  a
  ${a}
  b
  ${b}
  --
  
  The ${a} and ${b} above should be apple and blueberry instead.
  
  What can I use in the line in question to dereference the reference?
  
  Also, is there a better way of accomplishing my goal, which is this?:
  
  I have an app that will have database records of arbitrary type.  The
  record metadata allows me to get the field names with which to populate
  the Velocity context.  The record itself has, of course, the data.  I
  want the Velocity template designer to be able to loop through the
  fields in the database record without knowing its format at design time,
  as in:
  
  #foreach ($fieldName in $field_names)
$fieldname
  ...  ## put the field's value here, as in my vain attempt above
   ## with ${${fieldname}}
/$fieldname
  #end
  
  The data record is not a Java object with named field member variables,
  so I can't use the Java Bean approach.  Perhaps I could create a class
  dynamically at runtime, but I expect this would be overkill.
  
  Thanks for any help you can offer.
  
  - Keith
  
  
  -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
  
  
  
  
  
  -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
  
  
  
  
  
  
 
 
  -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For

Re: Dereferencing a Reference

2006-06-08 Thread Keith R. Bennett 

Barbara -

Jakarta Commons Collections has all kinds of neat classes and utilities 
for this kind of thing.  While unfortunately they don't support 
generics, larvalabs has a product that does.  The URL 
http://collections.sourceforge.net redirects to 
http://larvalabs.com/collections/.  The download page is at 
http://sourceforge.net/project/showfiles.php?group_id=139125.  However, 
the most recent version is 4.0 Beta 3 dated July 7, 2005.


The link to their javadoc is 
http://mail-archives.apache.org/mod_mbox/jakarta-velocity-user/, and you 
can find the class UnmodifiableMap.


Regards,
Keith

Barbara Baughman wrote:


BTW, I never pass a HashMap to the context.  I have created a class
called SecureHashMap that looks exactly like HashMap but overrides all
methods that would change the content so they do nothing.  So in
actual practice, my last line would read:
ctx.put(map,new SecureHashMapString, String(hm));

Barbara Baughman
 




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Dereferencing a Reference

2006-06-08 Thread Barbara Baughman 
Cool.  Thanks.

Barbara Baughman
X2157

On Thu, 8 Jun 2006, Keith R. Bennett wrote:

 Barbara -

 Jakarta Commons Collections has all kinds of neat classes and utilities
 for this kind of thing.  While unfortunately they don't support
 generics, larvalabs has a product that does.  The URL
 http://collections.sourceforge.net redirects to
 http://larvalabs.com/collections/.  The download page is at
 http://sourceforge.net/project/showfiles.php?group_id=139125.  However,
 the most recent version is 4.0 Beta 3 dated July 7, 2005.

 The link to their javadoc is
 http://mail-archives.apache.org/mod_mbox/jakarta-velocity-user/, and you
 can find the class UnmodifiableMap.

 Regards,
 Keith

 Barbara Baughman wrote:

 BTW, I never pass a HashMap to the context.  I have created a class
 called SecureHashMap that looks exactly like HashMap but overrides all
 methods that would change the content so they do nothing.  So in
 actual practice, my last line would read:
 ctx.put(map,new SecureHashMapString, String(hm));
 
 Barbara Baughman
 
 


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Dereferencing a Reference

2006-06-07 Thread Barbara Baughman 
Try using a Map interface object like HashMap or TreeMap.

HashMapString, String hm=new HashMapString, String();
hm.put(a,apple);
hm.put(b,blueberry);
ctx.put(map,hm);

Then in Velocity:

#foreach ($key in $map.keySet())
  $key  $map.get($key)
#end

Barbara Baughman
X2157

On Wed, 7 Jun 2006, Keith R. Bennett wrote:

 What Velocity template code can I use to get a list of keys and iterate
 over that list, getting the value corresponding to each key?  Here is
 what I've tried so far:

 Before calling Velocity, I place the list of keys plus each key/value
 pair in the context.  For example:

 --
 String [] letters = { a, b };
 context.put(letters, letters);
 context.put(a, apple);
 context.put(b, blueberry);
 --

 In the template I have:

 --
 $a
 $b

 #foreach ( $letter in $letters )
 $letter
 ${${letter}}## -- This is the line in question
 #end
 --

 However, the output is:

 --
 apple
 blueberry

 a
 ${a}
 b
 ${b}
 --

 The ${a} and ${b} above should be apple and blueberry instead.

 What can I use in the line in question to dereference the reference?

 Also, is there a better way of accomplishing my goal, which is this?:

 I have an app that will have database records of arbitrary type.  The
 record metadata allows me to get the field names with which to populate
 the Velocity context.  The record itself has, of course, the data.  I
 want the Velocity template designer to be able to loop through the
 fields in the database record without knowing its format at design time,
 as in:

 #foreach ($fieldName in $field_names)
   $fieldname
 ...  ## put the field's value here, as in my vain attempt above
  ## with ${${fieldname}}
   /$fieldname
 #end

 The data record is not a Java object with named field member variables,
 so I can't use the Java Bean approach.  Perhaps I could create a class
 dynamically at runtime, but I expect this would be overkill.

 Thanks for any help you can offer.

 - Keith


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Dereferencing a Reference

2006-06-07 Thread Keith R. Bennett 

Barbara -

Thank you, that worked beautifully.

I remember reading somewhere, though, that allowing a template to call 
arbitrary methods (that is, methods other than bean-like getters) on 
classes was dangerous, and that support for it might be eliminated in a 
future version.  Is this true, and if so, would it affect Map.get()?


- Keith


Barbara Baughman wrote:


Try using a Map interface object like HashMap or TreeMap.

HashMapString, String hm=new HashMapString, String();
hm.put(a,apple);
hm.put(b,blueberry);
ctx.put(map,hm);

Then in Velocity:

#foreach ($key in $map.keySet())
 $key  $map.get($key)
#end

Barbara Baughman
X2157

On Wed, 7 Jun 2006, Keith R. Bennett wrote:

 


What Velocity template code can I use to get a list of keys and iterate
over that list, getting the value corresponding to each key?  Here is
what I've tried so far:

Before calling Velocity, I place the list of keys plus each key/value
pair in the context.  For example:

--
String [] letters = { a, b };
context.put(letters, letters);
context.put(a, apple);
context.put(b, blueberry);
--

In the template I have:

--
$a
$b

#foreach ( $letter in $letters )
$letter
${${letter}}## -- This is the line in question
#end
--

However, the output is:

--
apple
blueberry

a
${a}
b
${b}
--

The ${a} and ${b} above should be apple and blueberry instead.

What can I use in the line in question to dereference the reference?

Also, is there a better way of accomplishing my goal, which is this?:

I have an app that will have database records of arbitrary type.  The
record metadata allows me to get the field names with which to populate
the Velocity context.  The record itself has, of course, the data.  I
want the Velocity template designer to be able to loop through the
fields in the database record without knowing its format at design time,
as in:

#foreach ($fieldName in $field_names)
 $fieldname
   ...  ## put the field's value here, as in my vain attempt above
## with ${${fieldname}}
 /$fieldname
#end

The data record is not a Java object with named field member variables,
so I can't use the Java Bean approach.  Perhaps I could create a class
dynamically at runtime, but I expect this would be overkill.

Thanks for any help you can offer.

- Keith


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


   



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




 




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Dereferencing a Reference

2006-06-07 Thread Nathan Bubna 

Allowing a template to call arbitrary methods is only dangerous if you
are allowing 3rd-parties to create templates and do not have your java
security policies properly configured for that.

Calling arbitrary methods does also allow for bad design if you allow
methods which change model state to be called.

I would say it is likely that we will someday block dangerous
methods by default (or with a simple switch).  However, it is
extremely unlikely that we would go so far as to block method calls
that would lead to bad design, and we will definitely never block
Map.get(). :)

On 6/7/06, Keith R. Bennett [EMAIL PROTECTED] wrote:

Barbara -

Thank you, that worked beautifully.

I remember reading somewhere, though, that allowing a template to call
arbitrary methods (that is, methods other than bean-like getters) on
classes was dangerous, and that support for it might be eliminated in a
future version.  Is this true, and if so, would it affect Map.get()?

- Keith


Barbara Baughman wrote:

Try using a Map interface object like HashMap or TreeMap.

HashMapString, String hm=new HashMapString, String();
hm.put(a,apple);
hm.put(b,blueberry);
ctx.put(map,hm);

Then in Velocity:

#foreach ($key in $map.keySet())
  $key  $map.get($key)
#end

Barbara Baughman
X2157

On Wed, 7 Jun 2006, Keith R. Bennett wrote:



What Velocity template code can I use to get a list of keys and iterate
over that list, getting the value corresponding to each key?  Here is
what I've tried so far:

Before calling Velocity, I place the list of keys plus each key/value
pair in the context.  For example:

--
String [] letters = { a, b };
context.put(letters, letters);
context.put(a, apple);
context.put(b, blueberry);
--

In the template I have:

--
$a
$b

#foreach ( $letter in $letters )
$letter
${${letter}}## -- This is the line in question
#end
--

However, the output is:

--
apple
blueberry

a
${a}
b
${b}
--

The ${a} and ${b} above should be apple and blueberry instead.

What can I use in the line in question to dereference the reference?

Also, is there a better way of accomplishing my goal, which is this?:

I have an app that will have database records of arbitrary type.  The
record metadata allows me to get the field names with which to populate
the Velocity context.  The record itself has, of course, the data.  I
want the Velocity template designer to be able to loop through the
fields in the database record without knowing its format at design time,
as in:

#foreach ($fieldName in $field_names)
  $fieldname
...  ## put the field's value here, as in my vain attempt above
 ## with ${${fieldname}}
  /$fieldname
#end

The data record is not a Java object with named field member variables,
so I can't use the Java Bean approach.  Perhaps I could create a class
dynamically at runtime, but I expect this would be overkill.

Thanks for any help you can offer.

- Keith


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]








-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]