Re: security audit

Nathan,

Thanks for your detailed and helpful set of thoughts.  Good point about 
wrapping context objects and avoiding the VelocityServlet.  (I'm actually using 
my own servlet, but have a bit of legacy code copied over from the VS).

If it wasn't clear in my last email, this was a list of security issues I 
encountered in *my application*, and the solutions I plan on taking.  (not a 
laundry list of problems with Velocity, which -- with a few reservations-- I 
think is a great tool).  Obviously, the security and integrity of an 
application is wholly the responsibility of the developer and sysadmin.

I post these issues (which may or may not be applicable to others) to ask for 
ideas on other risks, and to help people think through risks with their own 
Velocity-based web applications.  For example, although the Torque issue is not 
a "velocity" issue, it definitely was a potential exploit for my app.  It was a 
bit of a shock to realize that my system allowed any template writer to use a 
reference to do arbitrary SQL calls.  A caution to other Velocity developers-- 
be sure that you know what is in your context and that you are comfortable with 
all the methods that are exposed.

By the way, the biggest risk-reduction technique would be to only allow a small 
trusted set of people to write templates.  But in my application, hundreds of 
people write templates, so I'm trying to make this a safe environment.  If 
anyone has other ideas, please let me know.

Cheers,

WILL



_______________________________________
Forio Business Simulations
Will Glass-Husain
www.forio.com