On 03/25/2011 04:17 PM, Caleb James DeLisle wrote: > > > On 03/25/2011 05:01 AM, Marius Dumitru Florea wrote: >> Hi Caleb, >> >> On 03/25/2011 12:23 AM, Caleb James DeLisle wrote: >>> Sometimes there is a grey area between a security vulnerability and a >>> really nice feature. I think >>> it is important that everyone understand what a user should be able to do >>> and what a user should not >>> be able to do since "that's not a bug, that's a feature" is cold comfort to >>> a user who just >>> discovered that his security requirements were not met. Also, having a >>> standard laid down will allow >>> us to better classify security issues if they are discovered (I can proudly >>> say that we have >>> improved here by leaps and bounds) I have a draft document which attempts >>> to detail that line >>> between bug and feature and I think it is time to move it into main space. >>> >>> http://dev.xwiki.org/xwiki/bin/view/Drafts/Security+Specifications >>> >>> WDYT? >> >> Indeed, we need such a document. A few remarks: >> >> * 2.4 duplicates 2.2 > Thanks, I fixed that. > >> * 7.3 is a bit confusing because until that point document title and >> document content are viewed separately (e.g. 5.2 and 5.3) > I have tentatively changed that to: > * 7.3 When viewing a document, the document's title is part of Document > Content and has the same > power. Anywhere else in the wiki, the document title must not have any powers > which are not > available to a [[comment>>#comment]]. > WDYT?
+1 > >> * 8.5 is not quite correct because you can instantiate and load classes >> from velocity but not directly. You can't use the new operator and you >> don't have access to the Java reflection API but by simply writing: >> >> #set($list = [1, 2, 3]) >> >> you are creating a new instance of ArrayList. > > I added a * to that line and at the bottom: > ~* Velocity allows for the instantiation of HashMap, ArrayList, and String > objects and velocity > scripts can call Java APIs which may return newly instantiated objects. > > Look ok? Yep. Thanks, Marius > > Caleb > >> >> Thanks, >> Marius >> >>> >>> Caleb >>> >>> _______________________________________________ >>> devs mailing list >>> [email protected] >>> http://lists.xwiki.org/mailman/listinfo/devs >> _______________________________________________ >> devs mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/devs >> > > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
