You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@velocity.apache.org by Tony Morris <di...@hotmail.com> on 2005/04/22 04:20:36 UTC
Velocity security
I had a bit of a fiddle with Velocity a while back, and I'm considering
using it in a J2EE project that is coming up. A requirement that I have is
that users should be able to submit their preferred format for rendering of
their web page, for which I thought Velocity would be entirely appropriate.
The issue I have is security-related. I had a look through the Velocity user
guide and the only real potential hole that I see is the use of the #parse
or #include directive. I shouldn't expect users will use this, but I need to
protect against it nonetheless (are there any other potential holes that I
can't see?). The user document talks about the 'TEMPLATE_ROOT' (what is that
exactly?) being the only place from which the referenced files can be
included/parsed, but I'm wondering if Velocity provides something to solve
what I believe would be a common problem, perhaps by preventing
include/parse directives altogether - or perhaps some unforeseen solution
that is more wll suited.
Thanks for any tips.
Tony Morris
Software Engineer
Gold Coast, Australia
---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org
Re: Velocity security
Posted by Barbara Baughman <ba...@utdallas.edu>.
You could setup each user with their own VelocityEngine, and supply a
directory name for the templates that is exclusive to that user.
Then the #parse and #include could only reach files that are exclusive
to that user. You can optionally include more than one directory for
templates in the VelocityEngine, so you might also have a directory of
files that can be used by all users.
So when someone went to the user's web page, you would look up the
directory for that user, setup the appropriate VelocityEngine, set the
VelocityContext, and do a MergeTemplate.
Barbara Baughman
X2157
On Fri, 22 Apr 2005, Tony Morris wrote:
> I had a bit of a fiddle with Velocity a while back, and I'm considering
> using it in a J2EE project that is coming up. A requirement that I have is
> that users should be able to submit their preferred format for rendering of
> their web page, for which I thought Velocity would be entirely appropriate.
> The issue I have is security-related. I had a look through the Velocity user
> guide and the only real potential hole that I see is the use of the #parse
> or #include directive. I shouldn't expect users will use this, but I need to
> protect against it nonetheless (are there any other potential holes that I
> can't see?). The user document talks about the 'TEMPLATE_ROOT' (what is that
> exactly?) being the only place from which the referenced files can be
> included/parsed, but I'm wondering if Velocity provides something to solve
> what I believe would be a common problem, perhaps by preventing
> include/parse directives altogether - or perhaps some unforeseen solution
> that is more wll suited.
>
> Thanks for any tips.
>
> Tony Morris
> Software Engineer
> Gold Coast, Australia
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org
Re: Velocity security
Posted by Will Glass-Husain <wg...@forio.com>.
This article is a pretty good start for security issues with Velocity. Will
your users be uploading their own templates? That's where it starts to get
messy. I've a site with 1000's of user accounts each of whom can upload their
own templates. It's possible but there are some issues.
http://wiki.apache.org/jakarta-velocity/BuildingSecureWebApplications
---
Will Glass-Husain
415-440-7500x89
wglass@forio.com
Quoting Shinobu Kawai <sh...@gmail.com>:
> Hi Tony,
>
> > I had a bit of a fiddle with Velocity a while back, and I'm considering
> > using it in a J2EE project that is coming up. A requirement that I have is
> > that users should be able to submit their preferred format for rendering
> of
> > their web page, for which I thought Velocity would be entirely
> appropriate.
>
> :)
>
> > The issue I have is security-related. I had a look through the Velocity
> user
> > guide and the only real potential hole that I see is the use of the #parse
> > or #include directive. I shouldn't expect users will use this, but I need
> to
> > protect against it nonetheless (are there any other potential holes that I
> > can't see?).
>
> I'll let you answer what risks you are considering to Malcolm. ;)
>
> > The user document talks about the 'TEMPLATE_ROOT' (what is that
> > exactly?) being the only place from which the referenced files can be
> > included/parsed,
>
> The so-called 'TEMPLATE_ROOT' refers to wherever the ResourceLoader
> looks for templates. It will depend on how you configure Velocity.
> http://jakarta.apache.org/velocity/developer-guide.html#FAQ2
>
> eg, if you use VelocityViewServlet, it will be the root directory of
> your webapp.
> http://jakarta.apache.org/velocity/tools/view/index.html
>
> I guess you could subclass VVS in VelocityTools 1.2-dev and create a
> one-VelocityEngine-per-user servlet to handle your requests.
>
> > but I'm wondering if Velocity provides something to solve
> > what I believe would be a common problem, perhaps by preventing
> > include/parse directives altogether - or perhaps some unforeseen solution
> > that is more wll suited.
>
> I think there was a thread before about disabling directives.
>
> Some more security issues are mentioned here:
> http://wiki.apache.org/jakarta-velocity/HackingVelocity
>
> Best regards,
> -- Shinobu
>
> --
> Shinobu Kawai <sh...@gmail.com>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org
Re: Velocity security
Posted by Shinobu Kawai <sh...@gmail.com>.
Hi Tony,
> I had a bit of a fiddle with Velocity a while back, and I'm considering
> using it in a J2EE project that is coming up. A requirement that I have is
> that users should be able to submit their preferred format for rendering of
> their web page, for which I thought Velocity would be entirely appropriate.
:)
> The issue I have is security-related. I had a look through the Velocity user
> guide and the only real potential hole that I see is the use of the #parse
> or #include directive. I shouldn't expect users will use this, but I need to
> protect against it nonetheless (are there any other potential holes that I
> can't see?).
I'll let you answer what risks you are considering to Malcolm. ;)
> The user document talks about the 'TEMPLATE_ROOT' (what is that
> exactly?) being the only place from which the referenced files can be
> included/parsed,
The so-called 'TEMPLATE_ROOT' refers to wherever the ResourceLoader
looks for templates. It will depend on how you configure Velocity.
http://jakarta.apache.org/velocity/developer-guide.html#FAQ2
eg, if you use VelocityViewServlet, it will be the root directory of
your webapp.
http://jakarta.apache.org/velocity/tools/view/index.html
I guess you could subclass VVS in VelocityTools 1.2-dev and create a
one-VelocityEngine-per-user servlet to handle your requests.
> but I'm wondering if Velocity provides something to solve
> what I believe would be a common problem, perhaps by preventing
> include/parse directives altogether - or perhaps some unforeseen solution
> that is more wll suited.
I think there was a thread before about disabling directives.
Some more security issues are mentioned here:
http://wiki.apache.org/jakarta-velocity/HackingVelocity
Best regards,
-- Shinobu
--
Shinobu Kawai <sh...@gmail.com>
---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org