Very good stuff but I do still have some questions. The wiki page mentions my exact scenario in the "Working with Untrusted HTML Template Designers" section.
It refers to a patch to be able to restrict included templates using the #include and #parse which was to be released in version 1.5, and a patch to restrict the ability to call getClassLoader which was to be released in version 1.6. Did these make it into velocity? (wiki should probably be updated) I also saw that Alexander said "Yes. User could execute arbitrary java methods from a template." It sounds like if I create a simple bean, give only that to the velocity context, disable the "getClassLoader" method, and listen to include & parse events to restrict included templates, then I should be pretty secure to handle templates from external users. Is that correct? Thank you all for the useful information. -----Original Message----- From: Nathan Bubna [mailto:nbu...@gmail.com] Sent: Tuesday, March 30, 2010 4:29 PM To: Velocity Users List Subject: Re: Should I use velocity? http://wiki.apache.org/velocity/BuildingSecureWebApplications On Tue, Mar 30, 2010 at 1:59 PM, Treague, Keith <keith.trea...@merrillcorp.com> wrote: > I'm looking for a templating engine that can take a set of data I give it, > put it into an html template, and then I'll either return that to a web > browser or send that out as an e-mail. The catch is I want my users to be > able to edit the template itself. > > My concern is if they are editing the template, is there any way they can > create a malicious template that will execute malicious code on the server > such as calling various services on the server to get unauthorized info or > grant themselves additional access? If you can execute arbitrary java methods > from a template I can't use it. Any input I'd appreciate! > > (sorry if you get this twice, the first time I sent it I wasn't subscribed > yet) > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@velocity.apache.org For additional commands, e-mail: user-h...@velocity.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@velocity.apache.org For additional commands, e-mail: user-h...@velocity.apache.org
