Well, this is really more Will's area of expertise. I have the luxury of not letting users of my apps define their own templates. So, i've not had any need to use a JavaSecurityManager.
The language in the article is a little unclear. Version 1.6 has not started development yet. We are still tweaking 1.5 in our collectively scarce free time. It's more that the patch in question has been put on the roadmap for 1.6. In the meantime, the info and references in http://issues.apache.org/jira/browse/VELOCITY-179 should provide a number of options for restricting classloader use in your user's templates. As far as interrupting template processing... i've been in this community for about five years and i can't recall anyone else ever asking for or needing this. so, no, this is supported nor is it scheduled to be. i can't imagine that it would be difficult to implement using Threads. if you come up with something useful here, you might consider sharing it with the community. :) On 4/5/06, Ben <[EMAIL PROTECTED]> wrote: > Thanks, that is the page i read about this problem from before. It has a > link to http://issues.apache.org/jira/browse/VELOCITY-179 which has the > classloader patch. It aslo says the proposed patch has been accepted for > velocity version 1.6, hence my question about the scheduled release date of > that version. > > Also didn't see anywhere in that article about the ability to interrupt the > rendering process after let's say 5 seconds so that a single user doesn't > take up all resources on the server. Is that something which velocity > currently supports/is cheduled to be supported in some future version, or do > i have to built in that feature in my application, and if yes, can you > please suggest the best route to do this? Is there an interrupt method in > velocity which i can call after 5 sec, let's say, which will interrupt the > rendering process? > > Thanks, > Ben > > ----- Original Message ----- > From: "Nathan Bubna" <[EMAIL PROTECTED]> > To: "Velocity Users List" <[email protected]> > Sent: Tuesday, April 04, 2006 2:59 PM > Subject: Re: using Velocity in an untrusted environment > > > http://wiki.apache.org/jakarta-velocity/BuildingSecureWebApplications > > On 4/4/06, Ben <[EMAIL PROTECTED]> wrote: > > Hi all, > > > > I am thinking of using Velocity engine in an e-commerce platform, where > > the > > users will be able to upload their own templates to customize the layout > > of > > their store. I've read somewhere that Velocity has a built in security > > flaw, > > where peole could do things like AnyClass.getClassLoader() and use that to > > load any java class and basically do anything they want. I've also read > > about a patch being developed to address this issue which is scheduled to > > be > > integrated into Velocity version 1.6 > > > > I'm wondering, when is that version of velocity scheduled to come out, and > > are there any other security related issues i should watch out for in my > > scenario, where basically people who upload templates are untrusted users. > > > > Also, does velocity have a built in timeout feature, where for example if > > any template takes more than 5 seconds to render, I'll be able to > > interrupt > > the rendering process? This feature is also important to me, as I don't > > want > > any single user to tie up all system resources. > > > > Thanks, > > Ben > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
