Detering Dirk schrieb:
>> product... In the same category would then maybe be dynamic
>> code injection, where source code is injected. But that is
>> not a problem special to Groovy or special to dynamic
>> languages, that is a problem that is possible for any
>> language with scripting abilities... But in both cases of
>> injection it is crucial to not to have code (being sql or
>> something else) in http requests and to check all data that
>> is given through the user.
>
>
> Jochen, you are mostly arguing with web based scenarios.
> The injection problem can exist with scripting support in
> enterprise applications too.

yes, sorry, you are right... how does it come that I thought of the web
here only?

> Consider scriptlets for business rules in an app's DB, or
> configuration scripts or some DSL scripts started
> dynamically from user space.
>
> As the running engine (Groovy) is not restricted in its
> feature set, it can do anything what the running java
> code can do.
>
> Or am I wrong here?

It is not more or less restricted than Java itself. In both cases you
usually use the security manager to restrict actions. Additionally you
could for example use compiler add ons to ensure that endless loop will
not kill the whole system

bye blackdrag

--
Jochen "blackdrag" Theodorou
The Groovy Project Tech Lead (http://groovy.codehaus.org)
http://blackdragsview.blogspot.com/
http://www.g2one.com/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

  http://xircles.codehaus.org/manage_email