|
|
Re: security audit: msg#00171jakarta.velocity.user
Well said, Barbara. Yes, the ability to instantiate arbitrary classes and execute arbitrary methods has been a dirty little secret among the more technical Velocity developers. Discussion has come up from time to time on the dev list (which I monitor) and several other places. This capability arises from the fact the Velocity lets you call any public method on an object in the context... there's a chain of methods that you can call that will instantiate any class. So far, the Velocity committers seem to have ignored this issue. I've patched my personal copy of Velocity, but I'm guessing most developers aren't even aware of the problem. WILL Barbara: > Gee, I didn't know I could just call any public class I wanted from a > template. I thought the designer was limited to what was in the context. > Anyway, I think that's the way it should be. |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: security audit: 00171, Barbara Baughman |
|---|---|
| Next by Date: | Re: security audit: 00171, Eelco Hillenius |
| Previous by Thread: | Re: security auditi: 00171, Attila Szegedi |
| Next by Thread: | Re: security audit: 00171, Eelco Hillenius |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |