[
https://issues.apache.org/jira/browse/JSPWIKI-628?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Jaquith closed JSPWIKI-628.
----------------------------------
Resolution: Won't Fix
As described, this enhancement request represents a significant security risk.
Allowing a plugin to load (and possible execute) arbitrary Java classes would
be very unwise. This risk would be compounded by the fact that few servers run
JSPWiki with a security manager, meaning that a malicious party might have the
run over the entire server.
That said, if a website operator wishes to change the JSPs to allow particular
applets to load, that would be fine. The can do that today. But having a
general purpose classloading capability, able to be invoked by anyone, is a
recipe for trouble.
But perhaps I misunderstood your request? If I misunderstood, please re-open
and re-state... and make sure you document any security considerations that
would be part of this enhancement.
> Load Plugin resources from classpath
> ------------------------------------
>
> Key: JSPWIKI-628
> URL: https://issues.apache.org/jira/browse/JSPWIKI-628
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.3
> Reporter: Jürgen Weber
>
> Some plugins require the browser to load files. E.g. the FreeMindPlugin needs
> the browser to load the applet's classes, or another plugin might need some
> flash code.
> Currently the solution is to attach these files to a page which has the sole
> purpose of having the attachment. This is kind of awkward.
> JSPWiki should have a mechanism (in JSPFilter?) which would load the file
> from the classpath. So for FreeMind the FreeMindPlugin.jar would additionally
> contain freemindbrowser.jar. The plugin would generate some markup that would
> make the Filter recognize that the parameter is to be loaded from classpath,
> e.g. <wiki:IncludeResource freemindbrowser.jar>
> I guess this could be done with a PageFilter, too, but the idea is to make
> installing plugins easier and having to add a filters.xml would be
> counterproductive, so the mechanism should go into core.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
