mkienenb commented on pull request #9: URL: https://github.com/apache/velocity-tools/pull/9#issuecomment-716565224
@michael-o If you want to redesign how VelocityViewServlet handles errors in a separate release and PR, that'd be fine. For a security fix and release, we should be making the change that fixes the problem as widely as possible (every path to the potential XSS) and makes as small of a change as possible so people can read the change, see that it will not impact anything they have done, and drop in the fix without having to make any other changes. Escaping the path is the best fit for those criteria. Right now, callers of error() expect to see the internal details of what went wrong. You may not agree that is a good idea, but that's the expected behavior. Changing that is not a minor change in how their application will behave, especially as we have no idea who is calling error() or for what reasons. As you say, they may be doing something insane and parsing the html. A security fix is not the place to be making behavior changes if they can be avoided. @michael-o Note that I have no vested interest in the current behavior of error() -- I don't use VelocityViewServlet.error() -- and that I am only looking out for the interests of other velocity end-developers who do use it. It is difficult for me to understand why we are not going with the simple trivially-verifiable fix for this with known minimal impact and making a security release rather than discussing how we should redesign error handling. Don't force users to pick up behavior changes for a security fix. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
