25 Mar
2011
25 Mar
'11
4:53 p.m.
On 03/25/2011 04:17 PM, Caleb James DeLisle wrote:
On 03/25/2011 05:01 AM, Marius Dumitru Florea wrote:
+1
Hi Caleb,
On 03/25/2011 12:23 AM, Caleb James DeLisle wrote:
Thanks, I fixed that.
Sometimes there is a grey area between a security
vulnerability and a really nice feature. I think
it is important that everyone understand what a user should be able to do and what a user
should not
be able to do since "that's not a bug, that's a feature" is cold
comfort to a user who just
discovered that his security requirements were not met. Also, having a standard laid down
will allow
us to better classify security issues if they are discovered (I can proudly say that we
have
improved here by leaps and bounds) I have a draft document which attempts to detail that
line
between bug and feature and I think it is time to move it into main space.
http://dev.xwiki.org/xwiki/bin/view/Drafts/Security+Specifications
WDYT?
Indeed, we need such a document. A few remarks:
* 2.4 duplicates 2.2 * 7.3 is a bit confusing because until that point
document title and
document content are viewed separately (e.g. 5.2 and 5.3)
I have tentatively
changed that to:
* 7.3 When viewing a document, the document's title is part of Document Content and
has the same
power. Anywhere else in the wiki, the document title must not have any powers which are
not
available to a [[comment>>#comment]].
WDYT? * 8.5 is not quite correct because you can
instantiate and load classes
from velocity but not directly. You can't use the new operator and you
don't have access to the Java reflection API but by simply writing:
#set($list = [1, 2, 3])
you are creating a new instance of ArrayList.
I added a * to that line and at the bottom:
~* Velocity allows for the instantiation of HashMap, ArrayList, and String objects and
velocity
scripts can call Java APIs which may return newly instantiated objects.
Look ok?
Yep.
Thanks,
Marius
Caleb
Thanks,
Marius
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
Caleb
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs