Andrew, You just hit me with a "You should know that" and a "Steve needs to understand...". I get that you have a headache, but I am not trying to fight you on this. I am really just trying to get a feel for the threat-level so I can decide on the appropriate action(s) to take.
It sounds like (and correct me if I am wrong here) a warning is not currently needed to recommend storing files outside of the web root but some note advising about the implications could be helpful. I should probably have a page on the topic that covers security implications of changes of the kind discussed here as well as some comments in Application.cfm to the effect of "Hey! Don't delete me unless you want to take some heavy risks!". David, I didn't take it as you knocking me. I thought it was a good point and yet another reason that I need to verify that you can configure to use a .cfm file as part of the URL path for uploaded files. Thanks, Steve >Yeah I think I got myself confused there, have a blinding headache and >wasn't thinking on that one. > >The point Steve needs to understand is that this is changeable, and that >means that someone can easily come along and change the framework. That >means there should be a warning of some degree that by making these changes >they could be potentially putting a security risk into the framework. > >Whether he does that or not is up to him, but I think that a warning should >be applied to this because it is accessible from the URL. I think that he >has done enough to secure it at the base level, but remember someone who >doesn't understand can come along and remove the application.cfm and not >think twice about the security put in place. > >Does that make my position a little clearer? > >Regards, >Andrew Scott >http://www.andyscott.id.au/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340437 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
