Quoting Steve Downey <[EMAIL PROTECTED]>:
> Perhaps you would prefer this exploit?
>
>
http://localhost:8080/velexample/servlet/org.apache.catalina.servlets.DefaultServlet/sample.vm
>
> Horrors! Velocity is insecure!
>
> The DefaultServlet exploit is a general security problem in Tomcat. JSP may
> be
> somewhat more vulnerable, due to the (somewhat naieve) expectation that the
> source will be confidential, but it's not really JSP per se that is at
> fault.
Actually, there is a big difference here. You're assuming that Velocity macro
pages are programs (well, classes) like JSP's and therefore probably contain
security sensitive information. Usually what you'll see is something like this:
----------------------------------------
#foreach($role in $roles)
#if($fields.rolename && $fields.rolename==$role.rolename)
<option selected="selected">$role.rolename</option>
#else
<option>$role.rolename</option>
#end
#end
----------------------------------------
This is a (very typical) snippet from a VM that does editing of Tomcat
users/roles database in one of my applications. I don't care if people see that
code at all because the template doesn't do anything but templating. The beef if
elsewhere (i.e. MVC).
Bojan
PS. Glenn, my apologies, I was just answering a direct question.
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
