I'm building a system where users can customize their site's look and
feel by uploading templates that will override the built-in templates.
I'm trying to explore the security aspects of this right now. It
seems that the method invocation stuff, property setting, and anything
else that could caus
For starters, you should definitely use this setting:
runtime.introspector.uberspect =
org.apache.velocity.util.introspection.SecureUberspector
This Uberspect implementation blocks the following packages and
classes by default, but you can add more to your velocity.properties
if you wish:
introsp
Thanks for the info. I was planning on using wrapper objects.
The 'users' will be admins of the sites, FYI. So there will be a
certain amount of accountability. I'm more concerned about goof ups.
As for the Uberspector -- is that supposed to be backup against
developer error? I mean, it's at
On Fri, Feb 27, 2009 at 9:35 AM, ChadDavis wrote:
> Thanks for the info. I was planning on using wrapper objects.
>
> The 'users' will be admins of the sites, FYI. So there will be a
> certain amount of accountability. I'm more concerned about goof ups.
wrappers are good for this. then you de
