The tools.view.servlet.layout.directory property is fairly important
here, as it is prefixed to layout paths. i didn't think just slipping
.. into the path would get Velocity to load things out of that
directory. Seems like this isn't anymore risky than allowing third
parties to use #parse, #inclue or anything else that loads/renders
templates dynamically.
So, before we jump to calling this an inherent security flaw. What is
your layout directory? What is your resource loader configuration?
The resource loaders really ought not be able to load any file either,
otherwise the VelocityViewServlet itself becomes a risk, right?
On Thu, Jan 5, 2012 at 1:22 PM, Alex Fedotov <a...@kayak.com> wrote:
> I think there is some kind of fall-back sequence coded in one of the
> Velocity context implementations where if a key is not found in the context
> then it is also looked up as a request parameter, session attribute, etc.
> If I remember correctly it is in the ViewToolContext class.
>
> On Thu, Jan 5, 2012 at 4:15 PM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> All,
>>
>> On 1/5/12 4:05 PM, Christopher Schultz wrote:
>> > I found some errors in my log file about a particular 'layout' not being
>> > found. Coincidentally, I had a request parameter called "layout" with
>> > some data in it and it seemed to be triggering a change to the layout
>> > file that VelocityViewServlet attempts to use.
>>
>> I am using a custom subclass of VelocityViewServlet that changes the
>> error handling and also the Context creation by taking the user's Struts
>> locale and putting it into the Context. Here's the method:
>>
>> protected Context createContext(HttpServletRequest request,
>> HttpServletResponse response)
>> {
>> Context ctx = super.createContext(request, response);
>>
>> // Don't clobber an existing key
>> if(!ctx.containsKey("locale"))
>> {
>> Locale locale = null;
>> HttpSession session = request.getSession(false);
>> if(null != session)
>> locale = (Locale)session.getAttribute(Globals.LOCALE_KEY);
>>
>> if(null == locale)
>> locale = request.getLocale();
>>
>> ctx.put("locale", locale);
>> }
>>
>> // DEBUG
>> System.err.println("createContext: 'layout'="
>> + ctx.get("layout"));
>> ctx.put("theContext", ctx);
>> return ctx;
>> }
>>
>> I added that debugging code at the bottom, and the log confirms that, at
>> this stage, 'layout' is null in the context. I stuck the 'theContext'
>> into itself so I could inspect it from the page, like this:
>>
>> request: $!request.getParameter('layout')
>> context: $!theContext.get('layout')
>> app: $!request.servletContext.getAttribute('layout')
>> bare layout = $!layout
>>
>> The output from this template displays the following:
>>
>> request: Help.vm
>> context: Help.vm
>> app:
>> bare layout: Help.vm
>>
>> So, somehow the request parameter is in fact being copied into the
>> velocity context, where it affects VelocityLayoutServlet's rendering of
>> the page.
>>
>> I'll get a stack trace of where the context key is being set, next.
>>
>> -chris
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@velocity.apache.org
For additional commands, e-mail: user-h...@velocity.apache.org
