[
https://issues.apache.org/jira/browse/VELTOOLS-150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13182702#comment-13182702
]
Christopher Schultz commented on VELTOOLS-150:
----------------------------------------------
I see us having several options, here:
1. Disable this feature
2. Make this feature optional and configurable, with the default being
/disabled/
3. Lock-down the process that allows certain paths to protect the webapp when
this feature /is/ used
I think that #2 is a good idea in general: I suspect that most people don't
actually use this feature, so disabling it will certainly eliminate this attack
vector.
#3 might be touchy, since any file in a webapp - not just in WEB-INF or
META-INF - could potentially be sensitive. It's a reasonable assumption that
things in WEB-INF and META-INF should be protected by this particular feature,
but it might not be straightforward since the "layout" directory is relative to
the webapp, and then the layout selected by the request parameter will be
relative to that. We may have to normalize the path and then compare it to
known "sensitive" path prefixes. I'm not sure how to get the container to
normalize a path for us, though. Maybe we just need to look for ".." in the
layout name and ignore anything that looks like that. Suggestions are certainly
welcome.
Certainly, templates or servlets, etc. themselves need to be exempt from these
measures in case programmers want to use templates that are outside the norm:
these security rules should probably only be applied when the layout is being
selected from the request parameters. Request attributes, for instance, should
be considered trusted.
> VelocityLayoutServlet allows clients to specify "layout" without performing
> any security checks.
> ------------------------------------------------------------------------------------------------
>
> Key: VELTOOLS-150
> URL: https://issues.apache.org/jira/browse/VELTOOLS-150
> Project: Velocity Tools
> Issue Type: Bug
> Components: VelocityView
> Affects Versions: 1.4, 2.0
> Environment: Velocity 1.7, Velocity Tools 2.0.
> Confirmed also affects Velocity 1.4, Velocity Tools 1.4.
> Reporter: Christopher Schultz
> Priority: Critical
> Labels: security
>
> For reference:
> http://markmail.org/thread/43cz2dymzmxjjrq5
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
