Restrict access to Velocity's capabilities

[Ben <ne...@gmail.com>]

Hi

I have been using Velocity throughout my site and I am in awe with its
capabilities. However there are situations where I need to restrict
its capabilities to a certain extend.

For example, my site allows users to upload templates and be able to
use a number of predefined variables. What I don't want them to do is
to use Velocity to abuse the system, such as using directives and
writing macros.

Is there a way to create a Velocity instance with directives and other
features disabled? The only thing I need is reference to variables.

Thanks,
Ben

---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org

Re: Restrict access to Velocity's capabilities

[Will Glass-Husain <wg...@forio.com>]

Hi Ben,

Restricting access is a tricky issue.  We have a publically available system 
in which hundreds of users upload templates.  I've written a few thoughts on 
how to have a secure server environment here:

http://wiki.apache.org/jakarta-velocity/BuildingSecureWebApplications

"Abusing the system" is a matter of definition.  If what you mean is not to 
allow them to mess with other users, you'll want to install a custom 
introspector to prevent calls to system classes and you'll need to modify 
#include and #parse to prevent users from viewing the contents of other 
users templates.  You can write your own classloader now.
There's a patch in the works that will let you make the second of those 
modifications.
http://issues.apache.org/bugzilla/show_bug.cgi?id=28388

Otherwise, macros and directives seem pretty harmless to me.


Best,
WILL


----- Original Message ----- 
From: "Ben" <ne...@gmail.com>
To: "Velocity" <ve...@jakarta.apache.org>
Sent: Sunday, January 23, 2005 10:04 PM
Subject: Restrict access to Velocity's capabilities


> Hi
>
> I have been using Velocity throughout my site and I am in awe with its
> capabilities. However there are situations where I need to restrict
> its capabilities to a certain extend.
>
> For example, my site allows users to upload templates and be able to
> use a number of predefined variables. What I don't want them to do is
> to use Velocity to abuse the system, such as using directives and
> writing macros.
>
> Is there a way to create a Velocity instance with directives and other
> features disabled? The only thing I need is reference to variables.
>
> Thanks,
> Ben
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org

Re: Restrict access to Velocity's capabilities

[Mike Kienenberger <mk...@alaska.net>]

Ben <ne...@gmail.com> wrote:
> Hi
> 
> I have been using Velocity throughout my site and I am in awe with its
> capabilities. However there are situations where I need to restrict
> its capabilities to a certain extend.
> 
> For example, my site allows users to upload templates and be able to
> use a number of predefined variables. What I don't want them to do is
> to use Velocity to abuse the system, such as using directives and
> writing macros.
> 
> Is there a way to create a Velocity instance with directives and other
> features disabled? The only thing I need is reference to variables.

The best thing to do is simply escape all # symbols when it's uploaded.   
Ie, replace them with $esc.hash or something equivalent.

Personally, I'd go a step further and escape all $ symbols as well, then 
manually unescape any instance of ${esc.dollar}allowed_variable_name back to 
${allowed_variable_name} where allowed variable name is in a preset list.

---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org