Thread: default include

    #1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Location
    Edison
    Posts
    143
    Rep Power
    12

    Unhappy default include


    what is the default include page for cfm, i mean, my includes code is
    PHP Code:
    <cfset GetPageContext().include("#URLDecode(URL.file)#.cfm")> 
    and the url is http://www.mysite.com/index.cfm?file=pagename but when users type http://www.mysite.com/index.cfm i want to put a default page, how do i do that, becuase if there isint a default page, it gives an error
  2. #2
  3. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,270
    Rep Power
    968
    Is there a reason why you are using the getPageContext() function? This is typically used for server-side redirects or for including jsp files. What's wrong with this instead:

    <cfparam name="url.file" default="defaultPageName">
    <cfinclude template="#url.file#.cfm">


    Personally, I see this as a massive security hole. I sure know that in my apps I would not want to let someone just call any page they want by adding it to the URL. This is especially true for MVC applications where the Model and View are callable only internally and never by an external user. But if your app is small or you aren't worried about what files they can call, then you might be OK.
  4. #3
  5. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,270
    Rep Power
    968
    Should have mentioned an even bigger problem with this setup: if the user manually edits the filename in the URL it would be possible for them to force an incude of ANY file on the system! Consider:

    PHP Code:
    www.mysite.com/index.cfm?filename=../../../winnt/system.ini 
    Would, depending on the paths you are using, include a critical windows system file. So if you really are going to do this, you'd better rip out any offensive characters like ../ before you perform the include.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Location
    Edison
    Posts
    143
    Rep Power
    12
    I REALLY thank you for the script kiteless, and i am aware of the ../../../winnet/system.ini but they cant do it, why? let me explain, the code u gave me it this

    <cfparam name="url.file" default="defaultPageName">
    <cfinclude template="#url.file#.cfm">

    when the users type

    http://www.mysite.com/index.cfm?file...nnt/system.ini

    it will go to http://www.mysite.com/index.cfm?file...system.ini.cfm which doesnt exist, becuase

    in the includes, it will go as

    <cfparam name="url.file" default="defaultPageName">
    <cfinclude template="../../../winnt/system.ini.cfm">

    so i'd doubt that trick word work, but if u were talking about soemthing else, can u please explain, becuase i dont want ppl to access files outside the wwwroot
  8. #5
  9. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,270
    Rep Power
    968
    You are correct about the .cfm being appended to the included file, which would make it harder for a malicious user to get at files out fo the web root....but still, to me, this is too close for comfort.

    You could do something like replaceNoCase( url.file, '../', '', 'All' ) to manually replace those characters.

    Still, overall using this technique of specifying the file to include is more trouble than it is worth. There's no modularity. In order to properly separate your data from the presentation you're going to have to do a good bit of manual work.

    Look at Fusebox. In fact, the beta of Fusebox 4 is nearly over, and Fusebox 4 is sweet as hell. Take a look at beta.fusebox.org, and learn about Fusebox at www.fusebox.org and www.techspedition.com.

    regards,

    Brian

IMN logo majestic logo threadwatch logo seochat tools logo