>> Also, why wouldn't you trust the web server from >> providing the correct file name to the CF server?
> It's not that I don't trust it... it's just that I don't > trust it. ;^) > If you're security system is based on this information > then you really want as little dependency as possible. > Do it all inside CF and you don't have to worry (as > much) about people spoofing a web server path or > something to circumvent your code. I don't think that's actually possible with an http request... and if it were, I don't think it would matter... Sure, you could say that because CF doesn't rely on the webserver to get its data for getBaseTemplatePath() or getCurrentTemplatePath() that it has fewer vulnerabilities... BUT... the webserver _MUST_ tell the CF server which template it needs to process in the first place. If the webserver doesn't provide the correct template path, CF processes a different template or produces a "file not found" error. If it processes a different template, then the cgi variables will still match the values returned by the CF native functions because, well... the webserver told it to process the other template. So... I don't think there's any reason to inherently mistrust the cgi variables... although I use getCurrentTemplatePath() in the Application.cfm or Application.cfc to get my application root path. (Although I have specifically seen the cgi.http_domain variable return an empty string erroneously, but I think that was a cf server bug). s. isaac dealey 954.522.6080 new epoch : isn't it time for a change? add features without fixtures with the onTap open source framework http://www.fusiontap.com http://coldfusion.sys-con.com/author/4806Dealey.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:217324 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
