Hi all,
I am thinking of using Velocity engine in an e-commerce platform, where the
users will be able to upload their own templates to customize the layout of
their store. I've read somewhere that Velocity has a built in security flaw,
where peole could do things like AnyClass.getClassLoader() and use that to
load any java class and basically do anything they want. I've also read
about a patch being developed to address this issue which is scheduled to be
integrated into Velocity version 1.6
I'm wondering, when is that version of velocity scheduled to come out, and
are there any other security related issues i should watch out for in my
scenario, where basically people who upload templates are untrusted users.
Also, does velocity have a built in timeout feature, where for example if
any template takes more than 5 seconds to render, I'll be able to interrupt
the rendering process? This feature is also important to me, as I don't want
any single user to tie up all system resources.
Thanks,
Ben
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
