[ https://issues.apache.org/jira/browse/VELOCITY-849?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Claude Brisson closed VELOCITY-849. ----------------------------------- Resolution: Not A Bug Assignee: Claude Brisson Fix Version/s: 2.x This kind of issue is handled by the SecureUberspector, which should be used whenever templates themselves become sensitive. > Vulnerability Note > ------------------ > > Key: VELOCITY-849 > URL: https://issues.apache.org/jira/browse/VELOCITY-849 > Project: Velocity > Issue Type: Bug > Components: Engine > Affects Versions: 1.7 > Environment: Tomcat > Reporter: Greg Huber > Assignee: Claude Brisson > Fix For: 2.x > > > Hello, > I was checking this vulnerability for struts against velocity and it looks > like it may apply here also. > http://www.kb.cert.org/vuls/id/719225 > When I use the code on my template: > $model.class.getClassLoader() I get the following: > WebappClassLoader context: /events delegate: false repositories: > /WEB-INF/classes/ ----------> Parent Classloader: > org.apache.catalina.loader.StandardClassLoader@47711479 > I am not sure on what type of manipulation was used in the vulnerability, but > on struts, this type of response has been blocked. > Cheers Greg -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org