This article is a pretty good start for security issues with Velocity. Will your users be uploading their own templates? That's where it starts to get messy. I've a site with 1000's of user accounts each of whom can upload their own templates. It's possible but there are some issues.
http://wiki.apache.org/jakarta-velocity/BuildingSecureWebApplications --- Will Glass-Husain 415-440-7500x89 [EMAIL PROTECTED] Quoting Shinobu Kawai <[EMAIL PROTECTED]>: > Hi Tony, > > > I had a bit of a fiddle with Velocity a while back, and I'm considering > > using it in a J2EE project that is coming up. A requirement that I have is > > that users should be able to submit their preferred format for rendering > of > > their web page, for which I thought Velocity would be entirely > appropriate. > > :) > > > The issue I have is security-related. I had a look through the Velocity > user > > guide and the only real potential hole that I see is the use of the #parse > > or #include directive. I shouldn't expect users will use this, but I need > to > > protect against it nonetheless (are there any other potential holes that I > > can't see?). > > I'll let you answer what risks you are considering to Malcolm. ;) > > > The user document talks about the 'TEMPLATE_ROOT' (what is that > > exactly?) being the only place from which the referenced files can be > > included/parsed, > > The so-called 'TEMPLATE_ROOT' refers to wherever the ResourceLoader > looks for templates. It will depend on how you configure Velocity. > http://jakarta.apache.org/velocity/developer-guide.html#FAQ2 > > eg, if you use VelocityViewServlet, it will be the root directory of > your webapp. > http://jakarta.apache.org/velocity/tools/view/index.html > > I guess you could subclass VVS in VelocityTools 1.2-dev and create a > one-VelocityEngine-per-user servlet to handle your requests. > > > but I'm wondering if Velocity provides something to solve > > what I believe would be a common problem, perhaps by preventing > > include/parse directives altogether - or perhaps some unforeseen solution > > that is more wll suited. > > I think there was a thread before about disabling directives. > > Some more security issues are mentioned here: > http://wiki.apache.org/jakarta-velocity/HackingVelocity > > Best regards, > -- Shinobu > > -- > Shinobu Kawai <[EMAIL PROTECTED]> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
