Repository: wicket Updated Branches: refs/heads/wicket-6.x efa38e797 -> 3e418cd4a
WICKET-5927 Velocity Remote Code Exception Use custom velocity.properties for wicket-examples that is more strict and doesn't allow usage of class loaders Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/3e418cd4 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/3e418cd4 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/3e418cd4 Branch: refs/heads/wicket-6.x Commit: 3e418cd4a22b1af3a854cfb994166b40f53915d3 Parents: efa38e7 Author: Martin Tzvetanov Grigorov <[email protected]> Authored: Fri Jun 19 14:15:20 2015 +0300 Committer: Martin Tzvetanov Grigorov <[email protected]> Committed: Fri Jun 19 14:15:20 2015 +0300 ---------------------------------------------------------------------- .../main/webapp/META-INF/velocity.properties | 167 +++++++++++++++++++ wicket-examples/src/main/webapp/WEB-INF/web.xml | 5 + 2 files changed, 172 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket/blob/3e418cd4/wicket-examples/src/main/webapp/META-INF/velocity.properties ---------------------------------------------------------------------- diff --git a/wicket-examples/src/main/webapp/META-INF/velocity.properties b/wicket-examples/src/main/webapp/META-INF/velocity.properties new file mode 100644 index 0000000..1adfee6 --- /dev/null +++ b/wicket-examples/src/main/webapp/META-INF/velocity.properties @@ -0,0 +1,167 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#---------------------------------------------------------------------------- +# These are the default properties for the +# Velocity Runtime. These values are used when +# Runtime.init() is called, and when Runtime.init(properties) +# fails to find the specificed properties file. +#---------------------------------------------------------------------------- + +#---------------------------------------------------------------------------- +# R U N T I M E L O G +#---------------------------------------------------------------------------- + +#---------------------------------------------------------------------------- +# default LogSystem to use: default: AvalonLogSystem +#---------------------------------------------------------------------------- + +#runtime.log.logsystem.class = org.apache.velocity.runtime.log.AvalonLogSystem,org.apache.velocity.runtime.log.SimpleLog4JLogSystem +runtime.log.logsystem.class = org.apache.velocity.runtime.log.SimpleLog4JLogSystem + +#--------------------------------------------------------------------------- +# This is the location of the Velocity Runtime log. +#---------------------------------------------------------------------------- + +runtime.log = velocity.log + +#---------------------------------------------------------------------------- +# This controls if Runtime.error(), info() and warn() messages include the +# whole stack trace. The last property controls whether invalid references +# are logged. +#---------------------------------------------------------------------------- + +runtime.log.error.stacktrace = false +runtime.log.warn.stacktrace = false +runtime.log.info.stacktrace = false +runtime.log.invalid.reference = true + +#---------------------------------------------------------------------------- +# Configuration for the Log4JLogSystem. +# You must define the runtime.log.logsystem.class property to be: +# org.apache.velocity.runtime.log.Log4JLogSystem +# +# You must also include Log4J's .jar files into your classpath. They are +# included with the Velocity distribution in the build/lib directory. +# +# There are several different options that you can configure. +# Uncomment the ones that you want and also define their settings. +#---------------------------------------------------------------------------- +runtime.log.logsystem.log4j.pattern=%d - %m%n +runtime.log.logsystem.log4j.file.size=100000 +runtime.log.logsystem.log4j.file.backups=1 +#runtime.log.logsystem.log4j.syslogd.host=my.syslog.server.com +#runtime.log.logsystem.log4j.syslogd.facility=LOG_DAEMON +#runtime.log.logsystem.log4j.remote.host=my.remote.server.com +#runtime.log.logsystem.log4j.remote.port=1099 +#runtime.log.logsystem.log4j.email.server=localhost +#runtime.log.logsystem.log4j.email.from=root@localhost +#runtime.log.logsystem.log4j.email.to=root@localhost +#runtime.log.logsystem.log4j.email.subject=Velocity Error Report +#runtime.log.logsystem.log4j.email.buffer.size=512 + +#---------------------------------------------------------------------------- +# T E M P L A T E E N C O D I N G +#---------------------------------------------------------------------------- + +input.encoding=ISO-8859-1 +output.encoding=ISO-8859-1 + +#---------------------------------------------------------------------------- +# F O R E A C H P R O P E R T I E S +#---------------------------------------------------------------------------- +# These properties control how the counter is accessed in the #foreach +# directive. By default the reference $velocityCount will be available +# in the body of the #foreach directive. The default starting value +# for this reference is 1. +#---------------------------------------------------------------------------- + +directive.foreach.counter.name = velocityCount +directive.foreach.counter.initial.value = 1 + +#---------------------------------------------------------------------------- +# I N C L U D E P R O P E R T I E S +#---------------------------------------------------------------------------- +# These are the properties that governed the way #include'd content +# is governed. +#---------------------------------------------------------------------------- + +directive.include.output.errormsg.start = <!-- include error : +directive.include.output.errormsg.end = see error log --> + +#---------------------------------------------------------------------------- +# P A R S E P R O P E R T I E S +#---------------------------------------------------------------------------- + +directive.parse.max.depth = 10 + +#---------------------------------------------------------------------------- +# T E M P L A T E L O A D E R S +#---------------------------------------------------------------------------- +# +# +#---------------------------------------------------------------------------- + +resource.manager.logwhenfound=true +resource.loader=file,class + +file.resource.loader.description=Velocity File Resource Loader +file.resource.loader.class=org.apache.velocity.runtime.resource.loader.FileResourceLoader +file.resource.loader.path=. +file.resource.loader.cache=false +file.resource.loader.modificationCheckInterval=1 + +class.resource.loader.description=Velocity Classpath Resource Loader +class.resource.loader.class=org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader +class.resource.loader.cache=false +class.resource.loader.modificationCheckInterval=1 + + +#---------------------------------------------------------------------------- +# VELOCIMACRO PROPERTIES +#---------------------------------------------------------------------------- +# global : name of default global library. It is expected to be in the regular +# template path. You may remove it (either the file or this property) if +# you wish with no harm. +#---------------------------------------------------------------------------- +#velocimacro.library = /WEB-INF/VM_global_library.vm + +velocimacro.permissions.allow.inline = true +velocimacro.permissions.allow.inline.to.replace.global = false +velocimacro.permissions.allow.inline.local.scope = false + +velocimacro.context.localscope = false + +#---------------------------------------------------------------------------- +# INTERPOLATION +#---------------------------------------------------------------------------- +# turn off and on interpolation of references and directives in string +# literals. ON by default :) +#---------------------------------------------------------------------------- +runtime.interpolate.string.literals = true + +#---------------------------------------------------------------------------- +# RESOURCE MANAGEMENT +#---------------------------------------------------------------------------- +# Allows alternative ResourceManager and ResourceCache implementations +# to be plugged in. +#---------------------------------------------------------------------------- +resource.manager.class = org.apache.velocity.runtime.resource.ResourceManagerImpl +resource.manager.cache.class = org.apache.velocity.runtime.resource.ResourceCacheImpl + + +# WICKET-5927 +runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector +runtime.references.strict=true http://git-wip-us.apache.org/repos/asf/wicket/blob/3e418cd4/wicket-examples/src/main/webapp/WEB-INF/web.xml ---------------------------------------------------------------------- diff --git a/wicket-examples/src/main/webapp/WEB-INF/web.xml b/wicket-examples/src/main/webapp/WEB-INF/web.xml index ed0a221..6d3c1e8 100644 --- a/wicket-examples/src/main/webapp/WEB-INF/web.xml +++ b/wicket-examples/src/main/webapp/WEB-INF/web.xml @@ -54,6 +54,11 @@ <param-value>classpath:applicationContext.xml</param-value> </context-param> + <context-param> + <param-name>velocityPropertiesFolder</param-name> + <param-value>/META-INF/</param-value> + </context-param> + <filter> <filter-name>HomePageApplication</filter-name> <filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
