Re: security audit

Will said:
...
> So far, the Velocity committers seem to have ignored this issue.
I've
> patched my personal copy of Velocity, but I'm guessing most
developers
> aren't even aware of the problem.

hey now, let's be fair.  i've been watching the dev-list for several
years myself.  this issue has come up only once or twice that i can
remember.

each time, we are reminded that there *is* at least one
legitimate--though admittedly difficult--solution already (java's
SecurityManager).  now we may not all agree that that is sufficient
(personally, i'm inclined to agree that a template language should be
shipped secure), but to get from there to accusing the developers of
apathy and/or ignorance is not entirely fair.

please remember that this is volunteer driven open source.  this means
that it is "itch-driven."  in other words, the developers scratch
their itches first, and then, *if they want,* they scratch other
people's itches.  and, as one might expect, if you have an itch you
want scratched, you are a lot more likely to get someone to do it if
you have already told them where it is (bug post) and how to scratch
it (patch).  if they still don't or won't scratch it for you, you are
always free to scratch them yourself.  (and maybe help scratch other
itches until they make you one of them)

so, as i have said several times now, i don't think most people have
to worry about this issue.  it has always been my perception that the
significant majority of velocity users are developing applications
where either they are the template designers or they can fully trust
the designers.  certainly this seems to be the case with Velocity's
committers.

so far, people have talked about this security "itch" only
sporadically, and the developers clearly aren't suffering from it.  no
one has ever even posted notice of it in Bugzilla!  you, Will, are the
first to even mention having a patch AFAIK.  before you go ragging on
the developer's i suggest you post a bug, attach your patch, and
nicely remind the dev-list about it from time to time until the matter
is resolved.  yes, i know the dev-list has been very quiet (apart from
velocity-tools stuff, of course), but there is little else to be done
at this point.

again, there are solutions already, even if not all will work for you:

1.  don't accept untrusted templates.  (for those taking user-uploaded
templates, perhaps you could scan them for getClass(),
getClassLoader() etc. using regexp or the TemplateTool in velocity's
contrib area)

2.  use java's SecurityManager to set up your restrictions

3.  modify the source yourself

Nathan Bubna
nathan@xxxxxxxx