michael-o commented on pull request #9: URL: https://github.com/apache/velocity-tools/pull/9#issuecomment-716117442
> > > @michael-o As I stated privately, removing the catch clause will not fix the issue -- that's not the catch that's triggered, and it'll break backwards compatibility (expected behavior). Nor will it fix the problem for anyone who may be calling error from a subclass. > > @JHHAX's simple fix which escapes path is the correct one to use. I don't share this opinion. With the removal of the code your potential security issue would be gone. I see no benefit exposing Velocity internal information to the user besides saying 404 and the request path is not available. Moreover, HTML is not a guaranteed nor stable interface to provide any backward compat. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
