[xwiki-devs] [proposal] Standardize a security specification.

Marius Dumitru Florea mariusdumitru.florea at xwiki.com
Fri Mar 25 09:01:31 UTC 2011

Hi Caleb,

On 03/25/2011 12:23 AM, Caleb James DeLisle wrote:
> Sometimes there is a grey area between a security vulnerability and a really nice feature. I think
> it is important that everyone understand what a user should be able to do and what a user should not
> be able to do since "that's not a bug, that's a feature" is cold comfort to a user who just
> discovered that his security requirements were not met. Also, having a standard laid down will allow
> us to better classify security issues if they are discovered (I can proudly say that we have
> improved here by leaps and bounds) I have a draft document which attempts to detail that line
> between bug and feature and I think it is time to move it into main space.
> http://dev.xwiki.org/xwiki/bin/view/Drafts/Security+Specifications

Indeed, we need such a document. A few remarks:

* 2.4 duplicates 2.2
* 7.3 is a bit confusing because until that point document title and 
document content are viewed separately (e.g. 5.2 and 5.3)
* 8.5 is not quite correct because you can instantiate and load classes 
from velocity but not directly. You can't use the new operator and you 
don't have access to the Java reflection API but by simply writing:

#set($list = [1, 2, 3])

you are creating a new instance of ArrayList.


> Caleb
> _______________________________________________
> devs mailing list
> devs at xwiki.org
> http://lists.xwiki.org/mailman/listinfo/devs

More information about the devs mailing list