Re: security audit

Actually, calling wait() on an object is more likely to cause
IllegalStateException except if the template author somehow manages to first
cause the thread to enter the object's monitor (that is, synchronize on it).
But if it does, then blocking a thread indefinitely is a very good way to
mount a DOS attack - every new request will block another thread, eventually
exhausting either a limited thread pool, or ultimately the system resources.

Attila.


----- Original Message -----
From: "Will Glass-Husain" <wglass@xxxxxxxxx>
To: <velocity-user@xxxxxxxxxxxxxxxxxx>
Sent: Friday, May 30, 2003 8:09 PM
Subject: Re: security audit


> Attila,
>
> Thanks for the list of methods, that was very helpful.  This is perhaps a
> bit overly technical for the user list, but a quick question nonetheless.
>
> The patch I submitted for Velocity blocks at the class level, not the
method
> level.  It includes all the methods you listed except for Object.wait and
> Object.notify.   My take is that those aren't as much of a risk, as all
that
> would happen by calling wait/notify is the current thread (e.g. the web
page
> being loaded) would be blocked-- no other system functions would be
> affected.  Does this seem reasonable from your viewpoint?
>
> WILL
>
>
> Attila:
>
> Actually, I have already went through the Java API and identified those
> methods that shouldn't be allowed to be called from a template. The list
is
> used in FreeMarker to restrict calls to methods at its default security
> level (FreeMarker actually has security levels for accessing methods...)
>
> _______________________________________
> Forio Business Simulations
> Will Glass-Husain
> www.forio.com
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: velocity-user-unsubscribe@xxxxxxxxxxxxxxxxxx
> For additional commands, e-mail: velocity-user-help@xxxxxxxxxxxxxxxxxx
>
>
>
>