Tuesday, 9 March 2021

PROBLEM:

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

This issue has been assigned CVE-2020-13936.

WORKAROUND:

Applications using Apache Velocity that allow untrusted users to upload templates should upgrade to version 2.3. This version adds additional default restrictions on what methods/properties can be accessed in a template.

ACKNOWLEDGEMENTS: This issue was discovered by Alvaro Munoz pwntester@github.com of Github Security Labs and was originally reported as GHSL-2020-048.

Tuesday, 9 March 2021

PROBLEM:

The default error page for VelocityView reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed.

XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

This issue has been assigned CVE-2020-13959.

WORKAROUND:

Applications based on Apache Velocity Tools should upgrade to version 3.1. This version escapes the reflected text on the default error page, preventing potential javascript execution.

ACKNOWLEDGEMENTS: This issue was reported and a patch was submitted by Jackson Henry, member of Sakura Samurai.

Saturday, 27 February 2021

The Velocity developers are pleased to announce the release of Velocity Tools 3.1.

VelocityTools is a collection of Velocity subprojects with a common goal of providing tools and infrastructure for building both web and standalone applications using the Apache Velocity template engine.

Main changes:

* Added an optional 'factory' attribute to tools with the classname of a factory for creating new tools instances.

* Added a new BreadcrumbTool meant to help displaying UI breadcrumb trails.

* Fix potential XSS vulterability in VelocityViewServlet error handling.

For a full list of changes, consult Velocity Tools 3.1 Changes section and JIRA changelog.

For notes on upgrading from earlier versions, see Velocity Tools 3.1 Upgrading section.

Downloads of Velocity Tools 3.1 are available here.

Saturday, 27 February 2021

The Velocity developers are pleased to announce the release of Velocity Engine 2.3.

Main changes in this release:

+ Fix a minor security issue in user-edited templates applications: let SecureUberspector block methods on ClassLoader and subclasses.

+ New spring-velocity-support module for Velocity Engine integration in Spring Framework.

For a full list of changes, consult Velocity Engine 2.3 Changes section and JIRA changelog.

For notes on upgrading, see Velocity Engine 2.3 Upgrading section.

Downloads of 2.3 are available here.

Sunday, 2 February 2020

The Velocity developers are pleased to announce the release of Velocity Engine 2.2.

Main changes in this release:

+ New runtime.log.track_locations debugging configuration flag which displays the VTL stack trace in the logs in cases of errors, and populates slf4j MDC tags about position in VTL templates.

+ New example of how to build a customized VTL parser where the '#', '$', '*' and '@' characters can be replaced by alternate characters.

+ New backward compatibility flags to mimic 1.7.x event handlers and velicomacros behaviors.

For a full list of changes, consult Velocity Engine 2.2 Changes section and JIRA changelog.

For notes on upgrading, see Velocity Engine 2.2 Upgrading section.

Downloads of 2.2 are available here.

Sunday, 31 March 2019

The Velocity developers are pleased to announce the release of Velocity Engine 2.1.

Main changes in this release:

+ New VTL syntax: alternate reference values: ${foo|'foo'} evaluates to 'foo' whenever boolean evaluation of $foo is false.

+ New VTL syntax: Default block for empty loops: #foreach($i in $collection) ... #else nothing to display #end

+ Two more Engine 1.7 backward compatibility flags, parser.allow_hyphen_in_identifier and velocimacro.arguments.literal

+ Velocity Engine 2.1 now requires Java 1.8+.

For a full list of changes, consult Velocity Engine 2.1 Changes section and JIRA changelog.

For notes on upgrading, see Velocity Engine 2.1 Upgrading section.

Downloads of 2.1 are available here.

Tuesday, 9 October 2018

The Velocity developers are pleased to announce the release of Velocity Tools 3.0.

VelocityTools is a collection of Velocity subprojects with a common goal of providing tools and infrastructure for building both web and standalone applications using the Apache Velocity template engine.

Velocity Tools 3.0 brings a few new context tools (CollectionTool, JsonTool) and bugfixes along with a complete rewrite for some other tools (BrowserTool, ImportTool, XmlTool). It now uses Velocity Engine 2.0 and SLF4J.

For a complete list of changes, please visit the Velocity Tools 3.0 releases notes.

For notes on upgrading from Velocity Engine 1.x and Velocity Tools 2.0, see Velocity Engine 2.0 Upgrading section and Velocity Tools 3.0 Upgrading section.

Downloads of Velocity Tools 3.0 are available here.

Sunday, 6 August 2017

The Velocity developers are pleased to announce the release of Velocity Engine 2.0.

Among the main new features and enhancements:

+ Logging to the SLF4J logging facade.

+ Configurable whitespace gobbling.

+ Method arguments and array subscripts can now be arithmetic expressions.

+ Configurable method arguments conversion handler with automatic conversions between booleans, numbers, strings and enums.

+ Significant reduction of the memory consumption.

+ JSR-223 Scripting Engine implementation.

For a full list of changes, consult Velocity Engine 2.0 Changes section and JIRA changelog.

For notes on upgrading from Velocity 1.x, see Velocity Engine 2.0 Upgrading section.

Note for Velocity Tools users: Velocity Tools 3.0 shall soon be released. Meanwhile, you are encouraged to use the Velocity Tools 3.x last snapshot (see Velocity Tools 3.x Upgrading notes).

Downloads of 2.0 are available here.

Monday, 29 November 2010

The Velocity developers are pleased to announce the release of Velocity Engine 1.7.

Since 1.6, there has been a lot of work: #@body()content#end, #[[literal content]]#, major namespacing changes, $newListSyntax[$i], and more. Please see the change log for details!

Since 1.7-beta1, we fixed, VELOCITY-785, VELOCITY-766, VELOCITY-760, and VELOCITY-753. We also added access to current template and directive debugging info through $<foo>.info (where <foo> is the namespace you are seeking info about).

For more details on these, again, see the change log.

Downloads of 1.7 are available here. This is a drop-in replacement for Velocity 1.6, however, it also begins the transition to 2.0 features. Users upgrading should expect deprecation warnings in their logs.

Monday, 10 May 2010

The Velocity developers are very pleased to make VelocityTools 2.0 available for download. This should be useable as a drop in replacement for Tools 1.4 or Tools 2.0-beta4, with a few minor exceptions. The 2.x series of VelocityTools requires Velocity 1.6 and JDK 1.5+.

Since the last beta release, there have been a variety of enhancements. Here's the notable ones:

* Added a 'readOnly' config option to allow write operations on ValueParser and ParameterTool when set to false

* Added a beta-quality UiDependencyTool (included in velocity-view, but not in default tools.xml)

* Added an alpha-quality MarkupTool (included in generic tools, but not in default tools.xml)

* Fixed (as much as possible) some significant last-iteration LoopTool problems, and added a getThis() method as a more reliable workaround in nested loops. See VELTOOLS-124.

* VelocityLayoutServlet now checks request attributes for non-default layouts.

* The velocity-view.tld is now valid.

* VelocityView[Servlet] have improved exception and http management (particularly for ResourceNotFoundExceptions).

* Miscellaneous documentation and build.xml improvements The Velocity developers are very interested in all feedback regarding Tools 2.0, especially regarding backwards compatibility with apps designed for Tools 1.4 or earlier. We aim to enable a smooth, incremental transition for developers and their applications.

Downloads of Tools 2.0 are available here.

Monday, 10 May 2010

The Velocity developers would like to announce the release of Velocity Engine 1.6.4.

This release provides two small bugfixes and one critical fix. The critical fix resolves a 100% CPU loop hang under simultaneous HashMap calls in our ClassMap implementation due to a classic bug in Sun's implementation. We now use ConcurrentHashMap when available and Hashtable otherwise. It's also important to note that the auto-init feature is now only supported with Java 1.5+.

For more information, see VELOCITY-717, VELOCITY-750, and VELOCITY-718, .

Downloads of 1.6.4 are available here. This is a drop-in replacement for Velocity 1.6.3.

Friday, 16 April 2010

The Velocity developers would like to announce the release of Velocity Engine 1.7-beta1.

Since 1.6, there has been a lot of work. Here's an overview:

* Support macro bodies. Just call them like this: #@foo() body content #end

* Can now escape single and double quotes in strings by doubling them

* Added #[[this is included in the output but not parsed]]# syntax to replace #literal

* All #set calls are now global by default; no more implicit local namespaces (not that there were well functioning ones before). To #set a local variable, use the new provided namespaces: $foreach, $macro, $template, $evaluate, $define and $foo (would exist inside the body of #@foo() #end). These must now be used to #set any variable "locally" like this: #set( $macro.mylocal = 'foo' ). When nested, access to parent namespaces is similarly explicit (e.g. $macro.parent). Please see the change log for details.

* Enhanced #break to function anywhere and optionally accept a namespace argument when you want to break beyond the nearest scope. (e.g. #break( $macro ))

* Added bracketed index syntax: $foo[0] or #set( $foo[0] = 1 )

* #stop now ends rendering/execution of a template, not parsing of a template

* OSGI-ready manifests are now provided in the jars

* A variety of small bugfixes, performance boosts and better exceptions/logging.

* Removed very obsolete Veltag and WebMacro conversion code.

For more details on these, see the change log.

Downloads of 1.7-beta1 are available here. This should work as a drop-in replacement for Velocity 1.6.3 in most cases. Users of $velocityCount, $velocityHasNext and #literal should take note of their deprecations. Users of #stop and #break should be aware of significant changes to those features.

Wednesday, 16 December 2009

The Velocity developers would like to announce the release of Velocity Engine 1.6.3.

This release provides users the ability to revert to the previous #if behavior, which did not call toString() in order to check its status. This results in inconsistent reference treatment, but offers much superior performance in cases where toString() is an expensive operation. To enable this reversion, set the "directive.if.tostring.nullcheck" property to false in your velocity.properties. This should restore performance of the #if directive to previous levels.

For more information, see VELOCITY-731.

Downloads of 1.6.3 are available here. This is a drop-in replacement for Velocity 1.6.2.

Thursday, 19 March 2009

The Velocity developers would like to announce the release of Velocity Engine 1.6.2.

This release fixes the behaviour of $velocityHasNext (VELOCITY-651 and VELOCITY-658), resolves some regression bugs (VELOCITY-667, VELOCITY-681, VELOCITY-701), and fixes two problems with resource loaders (VELOCITY-693, VELOCITY-702). It is a drop-in replacement for Velocity 1.6.1.

Downloads of 1.6.2 are available here.

Wednesday, 27 May 2009

The Velocity developers are pleased to make a fourth beta release of VelocityTools 2.0 available for download. This should be useable as a drop in replacement for Tools 1.4 or Tools 2.0-beta3, with a few minor exceptions. The 2.x series of VelocityTools requires Velocity 1.6 and JDK 1.5+.

Since the last beta release, there have been a number of significant fixes and enhancements. Here's the key ones:

* Tools references are no longer read-only by default

* LinkTool double-encoding problem is fixed

* Upgraded to depend on Engine 1.6.2

* Deprecated ListTools due to irrelevance in Engine 1.6.x

* ResourceTool now gives access to bundle keys

* MultiViewsTool was changed into new, better IncludeTool

* Added syntactical sugar to CookieTool

* Multiple new methods contributed for DisplayTool

* Added the WebappUberspector for natural #set of attributes in webapp scopes (e.g. #set( $request.foo = 'bar' ))

* Refactored JeeConfig to be an interface The Velocity developers are very interested in all feedback regarding Tools 2.0, especially regarding backwards compatibility with apps designed for Tools 1.4 or earlier. We aim to enable a smooth, incremental transition for developers and their applications.

Downloads of Tools 2.0-beta4 are available here.

Monday, 15 December 2008

The Velocity developers would like to announce the release of Velocity Engine 1.6.1.

This release fixes the method reflection problems discovered in VELOCITY-651 and an macro argument bug identified in (VELOCITY-615). It is a drop-in replacement for Velocity 1.6.

Downloads of 1.6.1 are available here.

Monday, 1 December 2008

The Velocity developers are very pleased to announce the release of Velocity Engine 1.6.

This release contains numerous fixes, features and improvements. Please see the change log for a full listing. This should be a drop-in replacement for Velocity 1.5.

Highlights in this release include:

* Dramatically improved performance

* New core directives: #evaluate, #define, and #break

* Support for vararg method calls

* Long requested ability to #parse( 'mymacros.vm' )

* Ability to call methods like size() and get(int) on arrays

Downloads of Engine 1.6 are available here.

Monday, 1 December 2008

The Velocity developers are pleased to make the third beta release of VelocityTools 2.0 available for download. This should be useable as a drop in replacement for Tools 1.4 or Tools 2.0-beta2, with a few minor exceptions. The 2.x series of VelocityTools also requires both Velocity 1.5+ and JDK 1.5+.

Since the last beta release, there have been a number of small fixes, additional features (like caching for VelocityViewTag), and especially, improvements in the extensibility of VelocityView. The Velocity developers are very interested in all feedback regarding Tools 2.0, especially regarding backwards compatibility with apps designed for Tools 1.4 or earlier. We aim to enable a smooth, incremental transition for developers and their applications.

Downloads of Tools 2.0-beta3 are available here.

Monday, 27 October 2008

The Velocity developers are very pleased to make the seconde beta release of Velocity Engine 1.6 available for download.

This release contains many bugfixes and a new "strict reference mode" feature. Please see the change log for a full listing. This should be a drop-in replacement for Velocity 1.5 or Velocity 1.6-beta1.

Downloads of Tools 1.6-beta2 are available here.

Monday, 22 September 2008

The Velocity developers are very pleased to make the first beta release of Velocity Engine 1.6-beta1 available for download.

This release contains many bugfixes, new features and drastic performance improvements. Please see the change log for a full listing. This should be a drop-in replacement for Velocity 1.5.

Downloads of Tools 1.6-beta1 are available here.

Friday, 11 July 2008

The Velocity developers are pleased to make the second beta release of VelocityTools 2.0 available for download. Major development in VelocityTools 2.0 has completed, and the focus has been on fixing the remaining bugs and providing a clear migration path for users of VelocityTools 1.x. Significant new features in 2.0 include very flexible, composable toolbox configuration (via either java, xml, and/or properties), lazy-loading/initialization of tools, the VelocityViewTag for embedding Velocity within JSP, simplified embedding of VelocityTools in other frameworks, an assortment of new and improved tools, and much more. This should be useable as a drop in replacement for Tools 1.4, with a few minor exceptions where things already deprecated earlier in 1.x have been removed. The 2.x series of VelocityTools also requires both Velocity 1.5+ and JDK 1.5+.

At this point, the new tool management and configuration facilities are extremely stable and useable. Documentation has continued to improve dramatically and is nearing completion. There are no open or known bugs in this release nor significant changes anticipated before 2.0 final is released. We are also more than happy to answer questions on the mailing lists. More information on the changes between Tools 1.x and 2.x may be found here. The Velocity developers are very interested in all feedback regarding Tools 2.0, especially regarding backwards compatibility with apps designed for Tools 1.4 or earlier. We aim to enable a smooth, incremental transition for developers and their applications.

Downloads of Tools 2.0-beta2 are available here.

Wednesday, 26 December 2007

The Velocity developers are pleased to make the first beta release of VelocityTools 2.0 available for download and testing. This release marks the completion of major development in VelocityTools 2.0, which is now the main development trunk. Significant new features in 2.0 include very flexible, composable toolbox configuration (via either java, xml, and/or properties), lazy-loading/initialization of tools, the VelocityViewTag for embedding Velocity within JSP, an assortment of new and improved tools, and much more. This should be useable as a drop in replacement for Tools 1.4, with a few minor exceptions where things already deprecated earlier in 1.x have been removed. This also is the first Tools release to require both Velocity 1.5+ and JDK 1.5+.

At this point, the new tool management and configuration facilities are extremely stable and useable. Documentation has been radically improved since the alpha release, though more work remains there before 2.0 final is released. There are no open or known bugs in this release and encourage further testing (especially of the library's backwards compatibility) as we progress rapidly toward the 2.0 release. We are also more than happy to answer questions on the mailing lists. More information on the changes between Tools 1.x and 2.x may be found here. The Velocity developers are very interested in all feedback regarding Tools 2.0, especially regarding backwards compatibility with apps designed for Tools 1.4 or earlier. We aim to enable a smooth, incremental transition for developers and their applications.

Downloads of Tools 2.0-beta1 are available here.

Monday, 26 November 2007

The VelocityTools developers are pleased to announce the release of VelocityTools 1.4. There have been many important bug fixes since the 1.3 release and a handful of new features. While important, the overall slate of changes is small compared to previous releases due to the rapid progress of the upcoming 2.0 version. This is expected to be the last release of the 1.x series, as 2.0 is both superior and backwards compatible.

New features in VelocityTools 1.4 include more configurability for NumberTool and DateTool, the new ComparisonDateTool, and new abilities for EscapeTool and LinkTool. For a full listing of new features and bug fixes please see the change log.

Downloads are available here.

Monday, 13 August 2007

The Velocity developers are pleased to make the release of DVSL 1.0 available for download and testing. This release fixes an incompatibility between DVSL 0.x and Velocity 1.5 or newser, along with some minor cleanup and refactoring. It is not a drop in replacement of DVSL 0.45 since the main package has changed from org.apache.tools.dvsl to org.apache.dvsl. Files can be downloaded here.

Monday, 2 July 2007

The Velocity developers are pleased to make the first alpha release of VelocityTools 2.0 available for download and testing. This is a milestone release marking the completion of most major development in the Tools 2.x branch. Significant new features include very flexible, composable toolbox configuration (via either java, xml, and/or properties), lazy-loading/initialization of tools, the VelocityViewTag for embedding Velocity within JSP, an assortment of new and improved tools, and more. This should be useable as a drop in replacement for Tools 1.3, with a few exceptions where things already deprecated in 1.x have been removed. This also is the first Tools release to require both Velocity 1.5+ and JDK 1.5+.

Early adopters may consider the new tool management and configuration facilities to be quite stable. At this point, documentation is limited to javadoc and the example apps, which have been updated to demonstrate the new tools, the VelocityViewTag, and configuration. We are also more than happy to answer questions on the mailing lists. More information on the changes between Tools 1.x and 2.x may be found here. The Velocity developers are very interested in all feedback regarding Tools 2.0, especially regarding backwards compatibility with apps designed for Tools 1.3 or earlier. We aim to enable a smooth, incremental transition for developers and their applications.

Downloads of Tools 2.0-alpha1 are available here.

Sunday, 6 May 2007

The Velocity developers are pleased to issue two new releases: Anakia 1.0 and Texen 1.0. Anakia is an XML text transformation tool based on Apache Velocity and Apache Ant. It provides an alternative to using Ant 's <style> task and XSL to process XML files. A common use of Anakia is to process xdoc files and create site/project documentation. More information on Anakia can be found here: {{http://velocity.apache.org/anakia/releases/anakia-1.0/}} Texen is a general-purpose text generation utility, also based on Apache Velocity and Apache Ant. More information is here: {{http://velocity.apache.org/texen/releases/texen-1.0/}} Both Anakia and Texen were previously part of the core Velocity engine distribution but have been split off into their own packages to simplify maintenance and facilitate different release cycles. To avoid namespace conflict, org.apache.velocity.anakia has been moved to org.apache.anakia and org.apache.velocity.texen has been changed to org.apache.texen.

The Velocity developers are pleased to issue two new releases: Anakia 1.0 and Texen 1.0.

Anakia is an XML text transformation tool based on Apache Velocity and Apache Ant. It provides an alternative to using Ant 's <style> task and XSL to process XML files. A common use of Anakia is to process xdoc files and create site/project documentation. More information on Anakia can be found here:

{{http://velocity.apache.org/anakia/releases/anakia-1.0/}}

Texen is a general-purpose text generation utility, also based on Apache Velocity and Apache Ant. More information is here:

{{http://velocity.apache.org/texen/releases/texen-1.0/}}

Both Anakia and Texen were previously part of the core Velocity engine distribution but have been split off into their own packages to simplify maintenance and facilitate different release cycles. To avoid namespace conflict, org.apache.velocity.anakia has been moved to org.apache.anakia and org.apache.velocity.texen has been changed to org.apache.texen.

Monday, 9 April 2007

The Velocity developers are very pleased to announce the first release of the Velocity Docbook framework. It is intended to help creating high-quality documentation in the DocBook format which can be used online or as PDF for print out.

The downloads and documentation are available from {{http://velocity.apache.org/docbook/}}.

Tuesday, 6 March 2007

The Velocity developers are very pleased to announce the final release of Velocity 1.5. Downloads are available here. After a little more tweaking on Beta 2, the 1.5 final release is finally here! Since Beta 2 we have fixed a major problem with the new SecureUberspector as well as several bugs and broken links in our documentation. Some of the other new features since Velocity 1.4 include: * floating point number arithmetic * new event handlers for altering #include/#parse behavior * literal map syntax A complete list of changes is available at our issue tracker. You should also check out the release notes on the Wiki. Please report any additional bugs in the issue tracker and we will try to address them before the next release.

Thursday, 8 February 2007

The VelocityTools developers are pleased to announce the release of VelocityTools 1.3. There have been many improvements made since the 1.2 release. A key focus in this version has been ease of use. We've simplifyied developing your own tools by eliminating the ViewTool and Configurable interfaces, and we've simplifyied the syntax for using many of our existing tools within Velocity templates to both save keystrokes and reduce visual clutter.

The distribution also comes with a new "showcase" example webapp that demonstrates many of the uses of the various tools as well as allowing you to interactively play with them. Just download the binary distribution, and deploy the "showcase.war" example to your servlet container to try it out.

Also included are the usual slate of bug fixes, dependency upgrades, entirely new tools, and new functions for existing tools. For a full listing of changes, see the change log.

Downloads are available here.

Thursday, 25 January 2007

The VelocityTools developers are pleased to announce the first release candidate for VelocityTools 1.3. Downloads are available here.

Saturday, 13 January 2007

The Velocity Tools developers are pleased to announce the first beta release of Velocity Tools 1.3. Downloads are available here.

Sunday, 7 January 2007

The new Apache Velocity Web Site is online. Subscribe to the RSS feed to keep up to date.

Thursday, 26 October 2006

The Board of the Apache Software Foundation has passed a resolution to upgrade Jakarta Velocity into an Apache Top Level Project (TLP), to be renamed Apache Velocity. We are excited of the new prominence of the Velocity project. Please stay tuned for our new website at {{http://velocity.apache.org/}}. In the meantime, note that our new mailing lists are <user@velocity.apache.org> (subscribe at <user-subscribe@velocity.apache.org>) for general questions, and <dev@velocity.apache.org> (subscribe at <dev-subscribe@velocity.apache.org>) for development-related activity.

Friday, 24 November 2006

The Velocity developers are pleased to announce the second beta release of Velocity 1.5. Downloads are available here. This beta version is one of the final steps before the long-awaited version 1.5. Since Beta 1 we have added a new InvalidReferenceEventHandler (to catch invalid references), the SecureUberspector (to prevent introspection on "dangerous objects"), and a StringResourceLoader. We've also fixed some critical bugs, including a subtle synchronization problem causing page generation to fail under heavy loads. Some of the other new features since Velocity 1.4 include: * floating point number arithmetic * new event handlers for altering #include/#parse behavior * literal map syntax A complete list of changes is available at our issue tracker. You may also want to check out the draft release notes on the Wiki. Please report any additional bugs in the issue tracker, especially those that need to be fixed before our final release. (use 1.5 beta 2 as the version).

Friday, 1 December 2006

As part of our move to top-level status, we moved the Subversion repository. It is now available from {{http://svn.apache.org/repos/asf/velocity}}. Please update your references. If you have already checked out the source code, you can use the <<<svn switch>>> command to update your local copy.