You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "sergej m (JIRA)" <ji...@apache.org> on 2015/06/19 11:32:00 UTC

[jira] [Updated] (WICKET-5927) Velocity Remote Code Exception

     [ https://issues.apache.org/jira/browse/WICKET-5927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

sergej m updated WICKET-5927:
-----------------------------
    Description: 
Hello,

code can be possibly executed, using e.g java.lang.Runtime.exec(String command) on wicket site.

http://www.wicket-library.com/wicket-examples/velocity/wicket/bookmarkable/org.apache.wicket.examples.velocity.TemplatePage?3

The server should use a secure config in org/apache/velocity/runtime/defaults/velocity.properties:

runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector

regards

Sergej Michel


  was:
Hello,

code can be possibly executed, using e.g java.lang.Runtime.exec(String command) on wicket site.

http://www.wicket-library.com/wicket-examples/velocity/wicket/bookmarkable/org.apache.wicket.examples.velocity.TemplatePage?3

regards

Sergej Michel



> Velocity Remote Code Exception
> ------------------------------
>
>                 Key: WICKET-5927
>                 URL: https://issues.apache.org/jira/browse/WICKET-5927
>             Project: Wicket
>          Issue Type: Bug
>          Components: site
>            Reporter: sergej m
>
> Hello,
> code can be possibly executed, using e.g java.lang.Runtime.exec(String command) on wicket site.
> http://www.wicket-library.com/wicket-examples/velocity/wicket/bookmarkable/org.apache.wicket.examples.velocity.TemplatePage?3
> The server should use a secure config in org/apache/velocity/runtime/defaults/velocity.properties:
> runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector
> regards
> Sergej Michel



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)