|
|
Re: security audit: msg#00194jakarta.velocity.user
Attila, Thanks for the list of methods, that was very helpful. This is perhaps a bit overly technical for the user list, but a quick question nonetheless. The patch I submitted for Velocity blocks at the class level, not the method level. It includes all the methods you listed except for Object.wait and Object.notify. My take is that those aren't as much of a risk, as all that would happen by calling wait/notify is the current thread (e.g. the web page being loaded) would be blocked-- no other system functions would be affected. Does this seem reasonable from your viewpoint? WILL Attila: Actually, I have already went through the Java API and identified those methods that shouldn't be allowed to be called from a template. The list is used in FreeMarker to restrict calls to methods at its default security level (FreeMarker actually has security levels for accessing methods...) _______________________________________ Forio Business Simulations Will Glass-Husain www.forio.com |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: html macro library: 00194, Daniel Dekany |
|---|---|
| Next by Date: | RE: html macro library: 00194, Kevin Bolton |
| Previous by Thread: | Re: security auditi: 00194, Attila Szegedi |
| Next by Thread: | Re: security audit: 00194, Attila Szegedi |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |