Great question from Claude. Yes, I think this is an untrusted 3rd party template issue. (or perhaps just a defense against sloppy template design).
Looking at the original issue (VELOCITY-297), the stated intent is to avoid StackOverflowExceptions. I see twin objectives here of of providing a more meaningful exception and to ensure that recursive macro calls have consistent behavior regardless of JVM settings and internal method structure. In otherwords, I prefer to see a Velocity related exception after 20 macro calls, rather than a stack overflow exception after umpteen method calls. As a corollary to this issue, maybe the exception message can contain a list of macro calls? Something like: org.apache.velocity.exception MacroOverflowException: message: "Exceed maximum 20 macro calls. Call stack: macro1 -> macro2 -> macro3 -> macro1 -> macro1 -> macro1" (obviously, with 20 calls in the list above) To implement this, you'd have to track the stack of macro calls during page rendering. WILL On 6/1/07, Christopher Schultz <[EMAIL PROTECTED]> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nathan, Nathan Bubna wrote: >> 2. Throw another exception (MacroDepthExceededException?) >> >> The way I see it, neither of these options is any better than simply >> allowing the stack overflow to occur. > > Stack overflows can be caused by many things. Throwing a > MacroDepthException is much more informative, and in the case of 3rd > party templates being introduced to a running system, can prevent DOS > type stuff. Yeah... as I was typing that question, I was thinking "well, stack overflow could mean many things", although I immediately assume that my template has infinite recursion in these cases ;) I hasn't really thought about 3rd-party templates. Does anyone have any data on the impact of a stack overflow on a running app server? I would imagine that a better way to perform a DOS would be to concatenate strings forever in an endless loop. There's really no checking that can be done against that. Okay. Enough nay-saying from me ;) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGYGY39CaO5/Lv0PARAm9iAJ0cYAW0Rs6h5yfVwefQkvPcMnUmPgCgjnkV IG5pXk8OVJY+44SHv+mr/i0= =9F0i -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Forio Business Simulations Will Glass-Husain [EMAIL PROTECTED] www.forio.com
