[
https://issues.apache.org/jira/browse/VELTOOLS-150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16522904#comment-16522904
]
Claude Brisson commented on VELTOOLS-150:
-----------------------------------------
I totally agree.
At first I commited something very close to what your patch would have been.
Keeping the feature is mainly for the showcase example to work, and I'm rather
convinced not anyone ever used it elsewhere.
Then I realized that the showcase webapp should handle it via subclassing the
VelocityLayoutServlet, and that we could get rid of this dangerous feature. So
I changed my mind and got rid of it.
> VelocityLayoutServlet allows clients to specify "layout" without performing
> any security checks.
> ------------------------------------------------------------------------------------------------
>
> Key: VELTOOLS-150
> URL: https://issues.apache.org/jira/browse/VELTOOLS-150
> Project: Velocity Tools
> Issue Type: Bug
> Components: VelocityView
> Affects Versions: 1.4, 2.0
> Environment: Velocity 1.7, Velocity Tools 2.0.
> Confirmed also affects Velocity 1.4, Velocity Tools 1.4.
> Reporter: Christopher Schultz
> Priority: Critical
> Labels: security
>
> For reference:
> http://markmail.org/thread/43cz2dymzmxjjrq5
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
