On Fri, 18 May 2001, Jon Stevens wrote:
> on 5/18/01 1:04 AM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote:
>
> > I doubt too many installations of Velocity are set up to disallow user
> > code - it's not too much you can do. It'll be secure - probably because
> > nobody will care to use such a thing :-) And if you allow any user code -
> > all the #foreach prevention of DOS goes away.
>
> The key point here is that installations that need the level of security
> will be setup that way without having to completely disable the API.
The key point is that you have to disable any user code in order to have
this to work. Only applications that do not use any user code ( beans,
servlets, utils ) will work.
Same is true for almost any templating system ( including JSP ) - if you
restrict the user ( and refuse to run any "real" code ) - you'll be
protected against DOS.
For JSP, it would mean that users are not allowed to use their own
taglibs, or <% java %> in page, or servlets, or beans - only a
<foreach> tag and few other trusted tags. Same is true for turbine ( with
an different syntax ).
You don't need to do anything in jasper for that - just write a simple
program to scan the webapplication and reject any app that has any java
code or any "unauthorized" tag before running it. And refuse to run any
other application. ( and find people to use your service :-)
You still get to use any JSP tool, the application will be portable to
other JSP containers and implementations.
Costin
