Bojan, Just move the code you wrote into a context object, reference it and poof! Velocity gets OutOfMemory, too. Bad code is limited to front ends.
Velocity is nice. It is an excellent project, and Geir is possibly the most responsive and helpful project leader I have ever encountered. But there IS programming in a Velocity page--it's just in Yet Another Templating Language, one that both your developers and your web designers have to learn. That creates opportunities for confusion. (Especially where velocimacros are involved.) > -----Original Message----- > From: Bojan Smojver [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 25, 2002 10:34 PM > To: Tomcat Developers List > Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source > disclosure vulnerability > > > Not if: > > runtime.interpolate.string.literals = false > > Bojan > > Quoting Tim Funk <[EMAIL PROTECTED]>: > > > That's what code reviews are for and in absence of that - > firing your > > developers. > > > > Wouldn't I also get an out of memory with this in Velocity? > > > > #set($oom = > "0000000000000000000000000000000000000000000000000000" ) > > #foreach( $i in [-2147483648..2147483648] ) #set($oom = > > "$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom" ) #end > > > > Bad code can kill ANY system for the determined(disgruntled) > > developer. > > > > > > Bojan Smojver wrote: > > > All right then, let's talk about JSP's. If I host my > clients' JSP's > > > on my > > server > > > and a web designer puts this in (BTW, he wasn't forced, he simply > > > decided > > he > > > wanted to do it): > > > > > > ----------------------------------------------- > > > Hashtable strings = new Hashtable(); > > > int i=0; > > > while (true) > > > { > > > strings.put ("dead"+i, new StringBuffer(999999)); > > > } > > > ----------------------------------------------- -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
