[
https://issues.apache.org/jira/browse/VELTOOLS-150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13189234#comment-13189234
]
Nathan Bubna commented on VELTOOLS-150:
---------------------------------------
Ok, while this still feels like something that ought to live at the
ResourceLoader level, i accept that adding a little security to the VLS is not
that hard. I think we should check paths for ".." and ignore such requests.
Do you want to do the fix Christopher?
> VelocityLayoutServlet allows clients to specify "layout" without performing
> any security checks.
> ------------------------------------------------------------------------------------------------
>
> Key: VELTOOLS-150
> URL: https://issues.apache.org/jira/browse/VELTOOLS-150
> Project: Velocity Tools
> Issue Type: Bug
> Components: VelocityView
> Affects Versions: 1.4, 2.0
> Environment: Velocity 1.7, Velocity Tools 2.0.
> Confirmed also affects Velocity 1.4, Velocity Tools 1.4.
> Reporter: Christopher Schultz
> Priority: Critical
> Labels: security
>
> For reference:
> http://markmail.org/thread/43cz2dymzmxjjrq5
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
