Will Glass-Husain wrote:
(Slow motion closeup of arm wave and body shake) Noooo!
Well, I guess you could, but it's really poor practice. When we roll
out the security fix for version 1.6 (if I have my way) this will be one
of the few non-backwards compatible changes. (you'll be able to flip a
switch in the config file to remain compatible, but the default will be
off).
Any chance of this getting into the 1.5 release? Is it more of a time
issue or is there a reason to push it out to 1.6?
It is a pain in the butt to lock down a server to account for this issue
(at least for me, someone does this very rarely).
best,
-Rob
Since this is now in the archive, let me remind readers where they can
get more info on this.
Article with examples
http://wiki.apache.org/jakarta-velocity/HackingVelocity
Prevent execution of methods on Class, ClassLoader and related classes
http://issues.apache.org/jira/browse/VELOCITY-179
WILL
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]