You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@velocity.apache.org by "Christopher Schultz (Commented) (JIRA)" <de...@velocity.apache.org> on 2012/01/09 19:50:39 UTC

[jira] [Commented] (VELTOOLS-150) VelocityLayoutServlet allows clients to specify "layout" without performing any security checks.

    [ https://issues.apache.org/jira/browse/VELTOOLS-150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13182702#comment-13182702 ] 

Christopher Schultz commented on VELTOOLS-150:
----------------------------------------------

I see us having several options, here:

1. Disable this feature
2. Make this feature optional and configurable, with the default being /disabled/
3. Lock-down the process that allows certain paths to protect the webapp when this feature /is/ used

I think that #2 is a good idea in general: I suspect that most people don't actually use this feature, so disabling it will certainly eliminate this attack vector.

#3 might be touchy, since any file in a webapp - not just in WEB-INF or META-INF - could potentially be sensitive. It's a reasonable assumption that things in WEB-INF and META-INF should be protected by this particular feature, but it might not be straightforward since the "layout" directory is relative to the webapp, and then the layout selected by the request parameter will be relative to that. We may have to normalize the path and then compare it to known "sensitive" path prefixes. I'm not sure how to get the container to normalize a path for us, though. Maybe we just need to look for ".." in the layout name and ignore anything that looks like that. Suggestions are certainly welcome.

Certainly, templates or servlets, etc. themselves need to be exempt from these measures in case programmers want to use templates that are outside the norm: these security rules should probably only be applied when the layout is being selected from the request parameters. Request attributes, for instance, should be considered trusted.
                
> VelocityLayoutServlet allows clients to specify "layout" without performing any security checks.
> ------------------------------------------------------------------------------------------------
>
>                 Key: VELTOOLS-150
>                 URL: https://issues.apache.org/jira/browse/VELTOOLS-150
>             Project: Velocity Tools
>          Issue Type: Bug
>          Components: VelocityView
>    Affects Versions: 1.4, 2.0
>         Environment: Velocity 1.7, Velocity Tools 2.0.
> Confirmed also affects Velocity 1.4, Velocity Tools 1.4.
>            Reporter: Christopher Schultz
>            Priority: Critical
>              Labels: security
>
> For reference:
> http://markmail.org/thread/43cz2dymzmxjjrq5

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org