Dear Wiki user, You have subscribed to a wiki page or wiki category on "Jakarta-velocity Wiki" for change notification.
The following page has been changed by WillGlassHusain: http://wiki.apache.org/jakarta-velocity/BuildingSecureWebApplications The comment on the change is: fix out of date references to code ------------------------------------------------------------------------------ == Working with Untrusted HTML Template Designers == + (note: some specific code references below are out of date. see list of enhancements for version 1.5 WGH - 10/7/2005). In many Velocity applications, a small group of people (or a single person) work together on developing a web application. In such a case the focus of the developer is primarily on creating a user-friendly and secure application for the end-user. The developer provides the template designers with a set of simple technical guidelines for page design, most notably a list of available VTL references tools, and sets up CVS or FTP access to the web tree. In this common scenario, both the developers and the template writers have responsibility for ensuring the application works smoothly and securely. @@ -160, +161 @@ Some notes on developing a web-application with "untrusted" template designers: * As discussed above, only provide safe references in the context. Methods should not be able to change the app state, execute SQL queries or access the File system. - * Review the potential use of #include and #parse. In the author's application, templates and private user data for all accounts were originally stored in parallel directories in a web tree all in the same resource path. This meant that any template user could use #include to display template or data from another user. [http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED]&msgNo=10462 Serge Knystautas has suggested one possible solution] to this dilemma which is to create a custom resource loader that loads templates based on the current user. Another solution is to use [http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20342 a patch to Velocity developed by the author] which allows the developer to control the actual template returned by #include and #parse by using an event handler. (Typically, this would involve restricting each account to only include pages in that account). + * Review the potential use of #include and #parse. In the author's application, templates and private user data for all accounts were originally stored in parallel directories in a web tree all in the same resource path. This meant that any template user could use #include to display template or data from another user. [http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED]&msgNo=10462 Serge Knystautas has suggested one possible solution] to this dilemma which is to create a custom resource loader that loads templates based on the current user. Another solution is to use [http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20342 a patch to Velocity developed by the author] which allows the developer to control the actual template returned by #include and #parse by using an event handler. (Typically, this would involve restricting each account to only include pages in that account). (update: new event handler included in source code tree, to be released in version 1.5 - WGH) - In addition, the comments above about configuring a security manager become critical in this type of application. Developers should be aware that template designers have the ability to call getClassLoader() returning a !ClassLoader which could be used to [http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED]&msgNo=5980 instantiate any class and call any method] in the default configuration. [http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20341 The author has proposed a patch to Velocity] that would restrict this dangerous capability. + In addition, the comments above about configuring a security manager become critical in this type of application. Developers should be aware that template designers have the ability to call getClassLoader() returning a !ClassLoader which could be used to [http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED]&msgNo=5980 instantiate any class and call any method] in the default configuration. [http://issues.apache.org/jira/browse/VELOCITY-179 The author has proposed a patch to Velocity] that would restrict this dangerous capability. (update: patch accepted and scheduled for version 1.6 - WGH) Clearly the safest path is to restrict template design to a small group of trusted template writers. However, Velocity remains a useful tool in the case where a larger pool of users can upload templates. In such a case you must be even more careful to consider issues around system integrity and security. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
