[prev in list] [next in list] [prev in thread] [next in thread] 

List:       velocity-dev
Subject:    [VELTOOLS] Patch for ChainedContext
From:       "Nathan Bubna" <nathan () esha ! com>
Date:       2003-01-15 6:42:06
[Download RAW message or body]

And since i've been digging into the vel-tools code again, i was reminded of
this patch that never got committed.  To refresh:

This patch allows developers to essentially override or block the standard
$request, $response, $session, and $application context keys (or any
sensitive values in those objects' attributes).  This is desirable largely
for security purposes.  Some time back we had somebody on the list asking
how they could prevent so-called "evil template designers" from utilizing
the above objects for their nefarious schemes.

yeah, most people don't care or need this patch, but the request was
reasonable.  so, i created this patch to give the toolbox priority in
ChainedContext's search pattern.  this way, developers can either put a
dummy object to block access (a good one would be:
<data type="boolean"><key>request</key><value>false</value></data>) or they
can create a tool that acts as a wrapper around whatever they're trying to
protect and thus give limited access.

it's a simple patch, but it seemed to be ignored or otherwise forgotten last
time.  so, i'm giving it one more go...

Nathan Bubna
nathan@esha.com

["diff.tmp" (application/octet-stream)]

--
To unsubscribe, e-mail:   <mailto:velocity-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:velocity-dev-help@jakarta.apache.org>

[prev in list] [next in list] [prev in thread] [next in thread]