http://wiki.apache.org/jakarta-velocity/BuildingSecureWebApplications
On 4/4/06, Ben <[EMAIL PROTECTED]> wrote: > Hi all, > > I am thinking of using Velocity engine in an e-commerce platform, where the > users will be able to upload their own templates to customize the layout of > their store. I've read somewhere that Velocity has a built in security flaw, > where peole could do things like AnyClass.getClassLoader() and use that to > load any java class and basically do anything they want. I've also read > about a patch being developed to address this issue which is scheduled to be > integrated into Velocity version 1.6 > > I'm wondering, when is that version of velocity scheduled to come out, and > are there any other security related issues i should watch out for in my > scenario, where basically people who upload templates are untrusted users. > > Also, does velocity have a built in timeout feature, where for example if > any template takes more than 5 seconds to render, I'll be able to interrupt > the rendering process? This feature is also important to me, as I don't want > any single user to tie up all system resources. > > Thanks, > Ben > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
