[
https://issues.apache.org/jira/browse/VELTOOLS-150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13189838#comment-13189838
]
Christopher Schultz commented on VELTOOLS-150:
----------------------------------------------
Sure, I can do a simple fix like that.
I think I'd also like to introduce a configuration setting that allows this
feature to be disabled entirely. While I'd prefer to leave it disabled by
default, it might actually break someone's webapp so we should probably wait
for another major release before making that kind of change.
> VelocityLayoutServlet allows clients to specify "layout" without performing
> any security checks.
> ------------------------------------------------------------------------------------------------
>
> Key: VELTOOLS-150
> URL: https://issues.apache.org/jira/browse/VELTOOLS-150
> Project: Velocity Tools
> Issue Type: Bug
> Components: VelocityView
> Affects Versions: 1.4, 2.0
> Environment: Velocity 1.7, Velocity Tools 2.0.
> Confirmed also affects Velocity 1.4, Velocity Tools 1.4.
> Reporter: Christopher Schultz
> Priority: Critical
> Labels: security
>
> For reference:
> http://markmail.org/thread/43cz2dymzmxjjrq5
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
