Hi Tony, What is the security issue with the #include #parse directives? If the user submits a page which contains invalid statements, it simply wont display anything or at worse it would display a stacktrace.
If these directives were a problem couldn't you just filter them out when a user submits a format page. regards Malcolm Edgar -----Original Message----- From: Tony Morris [mailto:[EMAIL PROTECTED] Sent: Friday, 22 April 2005 12:21 PM To: velocity-user@jakarta.apache.org Subject: Velocity security I had a bit of a fiddle with Velocity a while back, and I'm considering using it in a J2EE project that is coming up. A requirement that I have is that users should be able to submit their preferred format for rendering of their web page, for which I thought Velocity would be entirely appropriate. The issue I have is security-related. I had a look through the Velocity user guide and the only real potential hole that I see is the use of the #parse or #include directive. I shouldn't expect users will use this, but I need to protect against it nonetheless (are there any other potential holes that I can't see?). The user document talks about the 'TEMPLATE_ROOT' (what is that exactly?) being the only place from which the referenced files can be included/parsed, but I'm wondering if Velocity provides something to solve what I believe would be a common problem, perhaps by preventing include/parse directives altogether - or perhaps some unforeseen solution that is more wll suited. Thanks for any tips. Tony Morris Software Engineer Gold Coast, Australia --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] NOTICE This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
