|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
July 14th, 2003, 11:45 AM
|
|||
|
|||
default include
what is the default include page for cfm, i mean, my includes code is
PHP Code:
|
|
#2
July 14th, 2003, 01:43 PM
|
|||
|
|||
|
Is there a reason why you are using the getPageContext() function? This is typically used for server-side redirects or for including jsp files. What's wrong with this instead:
<cfparam name="url.file" default="defaultPageName"> <cfinclude template="#url.file#.cfm"> Personally, I see this as a massive security hole. I sure know that in my apps I would not want to let someone just call any page they want by adding it to the URL. This is especially true for MVC applications where the Model and View are callable only internally and never by an external user. But if your app is small or you aren't worried about what files they can call, then you might be OK.
|
|
#3
July 14th, 2003, 01:46 PM
|
|||
|
|||
|
Should have mentioned an even bigger problem with this setup: if the user manually edits the filename in the URL it would be possible for them to force an incude of ANY file on the system! Consider:
PHP Code:
Would, depending on the paths you are using, include a critical windows system file. So if you really are going to do this, you'd better rip out any offensive characters like ../ before you perform the include.
|
|
#4
July 14th, 2003, 04:43 PM
|
|||
|
|||
|
I REALLY thank you for the script kiteless, and i am aware of the ../../../winnet/system.ini but they cant do it, why? let me explain, the code u gave me it this
<cfparam name="url.file" default="defaultPageName"> <cfinclude template="#url.file#.cfm"> when the users type http://www.mysite.com/index.cfm?fil...innt/system.ini it will go to http://www.mysite.com/index.cfm?fil.../system.ini.cfm which doesnt exist, becuase in the includes, it will go as <cfparam name="url.file" default="defaultPageName"> <cfinclude template="../../../winnt/system.ini.cfm"> so i'd doubt that trick word work, but if u were talking about soemthing else, can u please explain, becuase i dont want ppl to access files outside the wwwroot
|
|
#5
July 15th, 2003, 09:26 AM
|
|||
|
|||
|
You are correct about the .cfm being appended to the included file, which would make it harder for a malicious user to get at files out fo the web root....but still, to me, this is too close for comfort.
You could do something like replaceNoCase( url.file, '../', '', 'All' ) to manually replace those characters. Still, overall using this technique of specifying the file to include is more trouble than it is worth. There's no modularity. In order to properly separate your data from the presentation you're going to have to do a good bit of manual work. Look at Fusebox. In fact, the beta of Fusebox 4 is nearly over, and Fusebox 4 is sweet as hell. Take a look at beta.fusebox.org, and learn about Fusebox at www.fusebox.org and www.techspedition.com. regards, Brian
|
|
| Viewing: Dev Shed Forums > Programming Languages - More > ColdFusion Development > default include |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
