Hi Tony,
> I had a bit of a fiddle with Velocity a while back, and I'm considering
> using it in a J2EE project that is coming up. A requirement that I have is
> that users should be able to submit their preferred format for rendering of
> their web page, for which I thought Velocity would be entirely appropriate.
:)
> The issue I have is security-related. I had a look through the Velocity user
> guide and the only real potential hole that I see is the use of the #parse
> or #include directive. I shouldn't expect users will use this, but I need to
> protect against it nonetheless (are there any other potential holes that I
> can't see?).
I'll let you answer what risks you are considering to Malcolm. ;)
> The user document talks about the 'TEMPLATE_ROOT' (what is that
> exactly?) being the only place from which the referenced files can be
> included/parsed,
The so-called 'TEMPLATE_ROOT' refers to wherever the ResourceLoader
looks for templates. It will depend on how you configure Velocity.
http://jakarta.apache.org/velocity/developer-guide.html#FAQ2
eg, if you use VelocityViewServlet, it will be the root directory of
your webapp.
http://jakarta.apache.org/velocity/tools/view/index.html
I guess you could subclass VVS in VelocityTools 1.2-dev and create a
one-VelocityEngine-per-user servlet to handle your requests.
> but I'm wondering if Velocity provides something to solve
> what I believe would be a common problem, perhaps by preventing
> include/parse directives altogether - or perhaps some unforeseen solution
> that is more wll suited.
I think there was a thread before about disabling directives.
Some more security issues are mentioned here:
http://wiki.apache.org/jakarta-velocity/HackingVelocity
Best regards,
-- Shinobu
--
Shinobu Kawai <[EMAIL PROTECTED]>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
