[ http://issues.apache.org/jira/browse/VELOCITY-144?page=comments#action_12329763 ]
Will Glass-Husain commented on VELOCITY-144: -------------------------------------------- Geir expressed concern over security issues with this patch. I posted this on the dev list... no push back from other developers. So I think we should re-apply this. <quote> Here's why I'm not worried: (1) Outside users do not directly provide a template name. In a typical back-end use this is programmed by the developer. In a web use this comes from the URL (which can be filtered before sending to Velocity). (2) If a developer does not want to allow absolute file names, he/she just needs to configure a template path. (Note that this patch only applies for cases where the template path is not set). (3) This doesn't affect any existing code, because all existing uses of FileResourceLoader set a template path. </quote> > Allow absolute filename with FileResourceLoader > ----------------------------------------------- > > Key: VELOCITY-144 > URL: http://issues.apache.org/jira/browse/VELOCITY-144 > Project: Velocity > Type: Improvement > Components: Source > Versions: 1.3-rc1 > Environment: Operating System: All > Platform: PC > Reporter: Dale Peakall > Assignee: Velocity-Dev List > Priority: Minor > Fix For: 1.5 > Attachments: AbsoluteFileResourceLoaderTest.java, > FileResourceLoader.java.patch, absolute.zip > > There is no way of providing an absolute path (e.g. c:\temp\wibble.tmp) to > the > FileResourceLoader because it always attempts to use the 2-argument File > constructor (even if the path component is empty). > The following fix resolves this problem: > In FileResourceLoader.findTemplate replace: > File file = new File( path, template ); > with > File file = null; > if("".equals(path)) > file = new File( template ); > else > file = new File ( path, template ); > Note this does not introduce any security risks as the FileResourceLoader > must > be configured to search the empty ("") path. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
