[ https://issues.apache.org/jira/browse/VELTOOLS-150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13189234#comment-13189234 ]
Nathan Bubna commented on VELTOOLS-150: --------------------------------------- Ok, while this still feels like something that ought to live at the ResourceLoader level, i accept that adding a little security to the VLS is not that hard. I think we should check paths for ".." and ignore such requests. Do you want to do the fix Christopher? > VelocityLayoutServlet allows clients to specify "layout" without performing > any security checks. > ------------------------------------------------------------------------------------------------ > > Key: VELTOOLS-150 > URL: https://issues.apache.org/jira/browse/VELTOOLS-150 > Project: Velocity Tools > Issue Type: Bug > Components: VelocityView > Affects Versions: 1.4, 2.0 > Environment: Velocity 1.7, Velocity Tools 2.0. > Confirmed also affects Velocity 1.4, Velocity Tools 1.4. > Reporter: Christopher Schultz > Priority: Critical > Labels: security > > For reference: > http://markmail.org/thread/43cz2dymzmxjjrq5 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org