Is it safe to give users access to Velocity templates? Let's say that I have an application where I want to allow the users to modify email templates (which are written in Velocity). I am happy for the users to have access to the objects I give them, but is there a way in Velocity to create arbitrary Java objects (e.g., through a class loader reference)?
Do you think it be made safe, if it is not? Has anyone tried to deploy Velocity in a similar use case, restricting what templates can do using the Java's security model (e.g. security manager, permissions, etc)? Having the restrictions in place is clearly desired, irrespective of whether Velocity is safe to use in this fashion. -- Ivan Ristic ModSecurity Handbook [http://www.modsecurityhandbook.com] SSL Labs [https://www.ssllabs.com/ssldb/] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
