> > However, you should only put files in a web-accessible
> > directory if you intend for people to be able to fetch
> > or run them directly within their browser by entering
> > the appropriate URL. If you have files that aren't
> > intended to be used that way, they shouldn't be in a
> > web-accessible directory. If your shared host can't
> > provide the minimal functionality required to segregate
> > web content from non-web content, you should find another
> > shared host.
>
> I simply prefix any file that shouldn't be run directly with
> dsp_ or act_ or similar, and add
>
> <cfif reFind("/..._", cgi.script_name)>
> <cflocation url="">
> </cfif>
>
> to application.cfm . Tell me why that's less secure.
Because you have no guarantee that CF will always be working on your server,
or that no one will discover a new source code browsing vulnerability, or
that no one will accidentally delete your Application.cfm file. I imagine I
could think of more reasons, if I cared to.
It's been my experience that people tend to think of something as being
secure if it works as expected, at the same time that everything else works
as expected. A security-conscious person, however, should expect that
everything else won't always work as expected.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription:
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Get the mailserver that powers this list at http://www.coolfusion.com
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
