I wasn't refering to application-level security, I meant something like
this:
<cfif listLast(cgi.cf_script_name, "/\") NEQ "index.cfm">
<cfthrow type="NoThatFileYouBastardException" />
</cfif>
This won't prevent someone using getPageContext().forward() to call a fuse,
even though that fuse would be inaccessible on a URL because of the code
above.
Cheers,
barneyb
> -----Original Message-----
> From: Cameron Childress [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 17, 2004 12:29 PM
> To: CF-Talk
> Subject: RE: The Dangers of Java
>
> > Yeah, sure would, because it all happens in the
> > J2EE server. It also is probably possible to
> > request .CFM files that are protected against
> > access with code in Application.cfm, since I
> > don't think Application.cfm runs on a .forward().
> > This is a VERY common means of security in Fusebox
> > applications, particularly FB3.
>
> I am pretty sure this is a troll, but just in case it's not...
>
> This is actually very common security model for ALL CF apps,
> not just FB.
> Also, FB3 actually uses it *less* frequently than most
> because the code
> usually placed in Application.cfm is typically put into
> fbx_settings.cfm
> instead.
>
> I'd say that at any rate, the core problem here is
> application design and
> the trustworthyness of developers (as has been stated in
> other messages),
> NOT any particular design pattern or application framework.
>
> -Cameron
>
> -----------------
> Cameron Childress
> Sumo Consulting Inc
> ---
> land: 858.509.3098
> cell: 678.637.5072
> aim: cameroncf
> email: [EMAIL PROTECTED]
>
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
