Quoting Steve Downey <[EMAIL PROTECTED]>: > Perhaps you would prefer this exploit? > > http://localhost:8080/velexample/servlet/org.apache.catalina.servlets.DefaultServlet/sample.vm > > Horrors! Velocity is insecure! > > The DefaultServlet exploit is a general security problem in Tomcat. JSP may > be > somewhat more vulnerable, due to the (somewhat naieve) expectation that the > source will be confidential, but it's not really JSP per se that is at > fault.
Actually, there is a big difference here. You're assuming that Velocity macro pages are programs (well, classes) like JSP's and therefore probably contain security sensitive information. Usually what you'll see is something like this: ---------------------------------------- #foreach($role in $roles) #if($fields.rolename && $fields.rolename==$role.rolename) <option selected="selected">$role.rolename</option> #else <option>$role.rolename</option> #end #end ---------------------------------------- This is a (very typical) snippet from a VM that does editing of Tomcat users/roles database in one of my applications. I don't care if people see that code at all because the template doesn't do anything but templating. The beef if elsewhere (i.e. MVC). Bojan PS. Glenn, my apologies, I was just answering a direct question. ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>