5 Aug
2008
5 Aug
'08
10:52 a.m.
So, this is the responsability of the programmer to control the access to
his code... This is quite free but requires a good knowledge about what you
do...
(I wonder wether providing the {{include}} macros would bring much more
dangerous issues in this case apart from the memory issue you evoked)
Does parseGroovy takes care about not duplicating script parsing to prevent
groovy parser from plundering memory?
I need to think about all of this because Groovy integrated in xwiki with
velocity also is so much powerful to my mind that it might be worth digging
into it...
Pascal
On Tue, Aug 5, 2008 at 10:21 AM, Ludovic Dubost <ludovic(a)xwiki.org> wrote:
Pascal Voitot wrote:
I agree with you, this is not simple in this context.
Anyway, I have a question:
Groovy is programmed by a programmer with special rights but it can be
executed by anyone. Am I right? (apparently this is the default behaviour
I
can see)
What prevents anyone with edit rights to add $xwiki.parseGroovy in his
velocity script (do you need programming rights for this) ?
The groovy script needs to be own by a programmer. This is the
responsibility of the programmer to do a groovy script that is secure or
to do himself checkProgrammingRights in his code. If he does then the
page doing parseGroovyFromPage needs programming rights.
parseGroovyFromString always needs programming rights.
Moreover if you put in a document something like
this:
{pre}
<%
I do some groovy things
%>
{/pre}
then in another one
you put
# some velocity things
$xwiki.getDocument("GroovyDoc").getContent()
# some other things
Is the groovy simply injected here and executed when someone with default
rights access the last doc? (Apparently with default rights, that's what
happened... I may have missed something)
The page needs to be owned by an priviledge user for the groovy to be
parsed. Mixing velocity with groovy is dangerous, because You could beat
the groovy cache if the script passed to groovy is different on every
evaluation. This can lead to high memory usage. Ludovic
--
Ludovic Dubost
Blog: http://blog.ludovic.org/
XWiki: http://www.xwiki.com
Skype: ldubost GTalk: ldubost
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs