You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by mg...@apache.org on 2015/06/24 14:58:41 UTC
[35/50] [abbrv] wicket git commit: WICKET-5927 Velocity Remote Code
Exception
WICKET-5927 Velocity Remote Code Exception
Use custom velocity.properties for wicket-examples that is more strict and doesn't allow usage of class loaders
(cherry picked from commit 3e418cd4a22b1af3a854cfb994166b40f53915d3)
Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/c841084b
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/c841084b
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/c841084b
Branch: refs/heads/master
Commit: c841084be8af560f55ad10883964314ea4ff0274
Parents: dea6c08
Author: Martin Tzvetanov Grigorov <mg...@apache.org>
Authored: Fri Jun 19 14:15:20 2015 +0300
Committer: Martin Tzvetanov Grigorov <mg...@apache.org>
Committed: Wed Jun 24 14:56:34 2015 +0300
----------------------------------------------------------------------
.../main/webapp/META-INF/velocity.properties | 167 +++++++++++++++++++
wicket-examples/src/main/webapp/WEB-INF/web.xml | 5 +
2 files changed, 172 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/wicket/blob/c841084b/wicket-examples/src/main/webapp/META-INF/velocity.properties
----------------------------------------------------------------------
diff --git a/wicket-examples/src/main/webapp/META-INF/velocity.properties b/wicket-examples/src/main/webapp/META-INF/velocity.properties
new file mode 100644
index 0000000..acef282
--- /dev/null
+++ b/wicket-examples/src/main/webapp/META-INF/velocity.properties
@@ -0,0 +1,167 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#----------------------------------------------------------------------------
+# These are the default properties for the
+# Velocity Runtime. These values are used when
+# Runtime.init() is called, and when Runtime.init(properties)
+# fails to find the specificed properties file.
+#----------------------------------------------------------------------------
+
+#----------------------------------------------------------------------------
+# R U N T I M E L O G
+#----------------------------------------------------------------------------
+
+#----------------------------------------------------------------------------
+# default LogSystem to use: default: AvalonLogSystem
+#----------------------------------------------------------------------------
+
+#runtime.log.logsystem.class = org.apache.velocity.runtime.log.AvalonLogSystem,org.apache.velocity.runtime.log.SimpleLog4JLogSystem
+runtime.log.logsystem.class = org.apache.velocity.runtime.log.SimpleLog4JLogSystem
+
+#---------------------------------------------------------------------------
+# This is the location of the Velocity Runtime log.
+#----------------------------------------------------------------------------
+
+runtime.log = velocity.log
+
+#----------------------------------------------------------------------------
+# This controls if Runtime.error(), info() and warn() messages include the
+# whole stack trace. The last property controls whether invalid references
+# are logged.
+#----------------------------------------------------------------------------
+
+runtime.log.error.stacktrace = false
+runtime.log.warn.stacktrace = false
+runtime.log.info.stacktrace = false
+runtime.log.invalid.reference = true
+
+#----------------------------------------------------------------------------
+# Configuration for the Log4JLogSystem.
+# You must define the runtime.log.logsystem.class property to be:
+# org.apache.velocity.runtime.log.Log4JLogSystem
+#
+# You must also include Log4J's .jar files into your classpath. They are
+# included with the Velocity distribution in the build/lib directory.
+#
+# There are several different options that you can configure.
+# Uncomment the ones that you want and also define their settings.
+#----------------------------------------------------------------------------
+runtime.log.logsystem.log4j.pattern=%d - %m%n
+runtime.log.logsystem.log4j.file.size=100000
+runtime.log.logsystem.log4j.file.backups=1
+#runtime.log.logsystem.log4j.syslogd.host=my.syslog.server.com
+#runtime.log.logsystem.log4j.syslogd.facility=LOG_DAEMON
+#runtime.log.logsystem.log4j.remote.host=my.remote.server.com
+#runtime.log.logsystem.log4j.remote.port=1099
+#runtime.log.logsystem.log4j.email.server=localhost
+#runtime.log.logsystem.log4j.email.from=root@localhost
+#runtime.log.logsystem.log4j.email.to=root@localhost
+#runtime.log.logsystem.log4j.email.subject=Velocity Error Report
+#runtime.log.logsystem.log4j.email.buffer.size=512
+
+#----------------------------------------------------------------------------
+# T E M P L A T E E N C O D I N G
+#----------------------------------------------------------------------------
+
+input.encoding=ISO-8859-1
+output.encoding=ISO-8859-1
+
+#----------------------------------------------------------------------------
+# F O R E A C H P R O P E R T I E S
+#----------------------------------------------------------------------------
+# These properties control how the counter is accessed in the #foreach
+# directive. By default the reference $velocityCount will be available
+# in the body of the #foreach directive. The default starting value
+# for this reference is 1.
+#----------------------------------------------------------------------------
+
+directive.foreach.counter.name = velocityCount
+directive.foreach.counter.initial.value = 1
+
+#----------------------------------------------------------------------------
+# I N C L U D E P R O P E R T I E S
+#----------------------------------------------------------------------------
+# These are the properties that governed the way #include'd content
+# is governed.
+#----------------------------------------------------------------------------
+
+directive.include.output.errormsg.start = <!-- include error :
+directive.include.output.errormsg.end = see error log -->
+
+#----------------------------------------------------------------------------
+# P A R S E P R O P E R T I E S
+#----------------------------------------------------------------------------
+
+directive.parse.max.depth = 10
+
+#----------------------------------------------------------------------------
+# T E M P L A T E L O A D E R S
+#----------------------------------------------------------------------------
+#
+#
+#----------------------------------------------------------------------------
+
+resource.manager.logwhenfound=true
+resource.loader=file,class
+
+file.resource.loader.description=Velocity File Resource Loader
+file.resource.loader.class=org.apache.velocity.runtime.resource.loader.FileResourceLoader
+file.resource.loader.path=.
+file.resource.loader.cache=false
+file.resource.loader.modificationCheckInterval=1
+
+class.resource.loader.description=Velocity Classpath Resource Loader
+class.resource.loader.class=org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
+class.resource.loader.cache=false
+class.resource.loader.modificationCheckInterval=1
+
+
+#----------------------------------------------------------------------------
+# VELOCIMACRO PROPERTIES
+#----------------------------------------------------------------------------
+# global : name of default global library. It is expected to be in the regular
+# template path. You may remove it (either the file or this property) if
+# you wish with no harm.
+#----------------------------------------------------------------------------
+#velocimacro.library = /WEB-INF/VM_global_library.vm
+
+velocimacro.permissions.allow.inline = true
+velocimacro.permissions.allow.inline.to.replace.global = false
+velocimacro.permissions.allow.inline.local.scope = false
+
+velocimacro.context.localscope = false
+
+#----------------------------------------------------------------------------
+# INTERPOLATION
+#----------------------------------------------------------------------------
+# turn off and on interpolation of references and directives in string
+# literals. ON by default :)
+#----------------------------------------------------------------------------
+runtime.interpolate.string.literals = true
+
+#----------------------------------------------------------------------------
+# RESOURCE MANAGEMENT
+#----------------------------------------------------------------------------
+# Allows alternative ResourceManager and ResourceCache implementations
+# to be plugged in.
+#----------------------------------------------------------------------------
+resource.manager.class = org.apache.velocity.runtime.resource.ResourceManagerImpl
+resource.manager.cache.class = org.apache.velocity.runtime.resource.ResourceCacheImpl
+
+
+# WICKET-5927
+runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector
+runtime.references.strict=true
http://git-wip-us.apache.org/repos/asf/wicket/blob/c841084b/wicket-examples/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/wicket-examples/src/main/webapp/WEB-INF/web.xml b/wicket-examples/src/main/webapp/WEB-INF/web.xml
index ec23694..fb326f9 100644
--- a/wicket-examples/src/main/webapp/WEB-INF/web.xml
+++ b/wicket-examples/src/main/webapp/WEB-INF/web.xml
@@ -45,6 +45,11 @@
<param-value>deployment</param-value>
</context-param>
+ <context-param>
+ <param-name>velocityPropertiesFolder</param-name>
+ <param-value>/META-INF/</param-value>
+ </context-param>
+
<filter>
<filter-name>HomePageApplication</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>