12 Jun
2008
12 Jun
'08
9:54 a.m.
Hello,
Vincent Massol wrote:
Hi Lilianne,
They are content like any content file you put in your
webapp root.
For example you would put JSP files there. The Velocity template are
Well, yes and no. Users can't access .jsp sources, only what is
generated by them.
On the other hand these files are viewable, users see their code. Run
the hsqldb unzip-and-run version and check
http://localhost:8080/xwiki/templates/macros.vm - everything visible.
Of course there shouldn't be any 'secret' things inside them, like
passwords, but being able to view them might give someone an idea how to
attack the rest of the code. Think about the SQL injections - the more
you know about the code, the easier it is to try an sql injection
attack. If you see the html code the browser normally receives, they're
moderately difficult. If you see the .php source, even if it doesn't
contain any connection-specific data, it makes it much easier.
Of course it doesn't apply to an out-of-the-box XWiki as the source is
available anyway, but it can expose custom modifications.
As for .jsps, actually I do place them in /WEB-INF along with everything
else that doesn't absolutely have to be in / to work (like static
images, javascript, etc) behind a controller (Struts for example). And I
got the impression it's a pretty common practice.
Also, why do you say they are accessible (assuming you
mean writeable)
by everyone? AFAIK they are only accessible to those who have access
As in anyone-can-view-the-code, not as in writeable.
Thanks
-Vincent
Greetings, Lilianne