[jira] [Resolved] (VELTOOLS-150) VelocityLayoutServlet allows clients to specify "layout" without performing any security checks.

Claude Brisson (JIRA) Mon, 25 Jun 2018 15:49:10 -0700


     [ 
https://issues.apache.org/jira/browse/VELTOOLS-150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Claude Brisson resolved VELTOOLS-150.
-------------------------------------
       Resolution: Fixed
         Assignee: Claude Brisson
    Fix Version/s: 3.0

The VelocityLayoutServlet now ignores the 'layout' query parameter. Dynamic 
layout change is still functional in the showcase webapp, by means of a 
ShowcaseLayoutServlet.

> VelocityLayoutServlet allows clients to specify "layout" without performing 
> any security checks.
> ------------------------------------------------------------------------------------------------
>
>                 Key: VELTOOLS-150
>                 URL: https://issues.apache.org/jira/browse/VELTOOLS-150
>             Project: Velocity Tools
>          Issue Type: Bug
>          Components: VelocityView
>    Affects Versions: 1.4, 2.0
>         Environment: Velocity 1.7, Velocity Tools 2.0.
> Confirmed also affects Velocity 1.4, Velocity Tools 1.4.
>            Reporter: Christopher Schultz
>            Assignee: Claude Brisson
>            Priority: Critical
>              Labels: security
>             Fix For: 3.0
>
>
> For reference:
> http://markmail.org/thread/43cz2dymzmxjjrq5



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org

[jira] [Resolved] (VELTOOLS-150) VelocityLayoutServlet allows clients to specify "layout" without performing any security checks.

Reply via email to