[stringtemplate-interest] format="random string" harmful
Emond Papegaaij
e.papegaaij at student.utwente.nl
Mon Oct 2 01:23:49 PDT 2006
On Sunday 01 October 2006 23:57, Terence Parr wrote:
> I just realized that allowing the random format string to dictate
> which function to call on some formatter object is way too big of a
> whole. It is the same thing as velocity that allows you to pass in a
> model and call random methods on it. Imagine:
>
> $"select * from Users"; format="query"$
>
> weird, but would call renderer.query("select * from Users"). Pass in
> a DB object and we have a problem.
Maybe you can prevent the user from passing in a DB object with the
renderer? For example by passing the renderers in as an un-instantiated
class. You then create the instance using the no-arg constructor. This
makes it possible to pass in anything else then just rendering code. Of
course it is still possible to access other code through static
references, but there's not much that can protect you from that.
Best regards,
Emond
More information about the stringtemplate-interest
mailing list