Russ, Thanks for your comment and encouragement.
The scrutiny is certainly valid. I don't think the problem is as serious as it first appeared, but it is with regard to all uploaded files handled by the framework so it is a pretty significant area of concern and definitely something I am glad to have others help me think through. As to the "need" for another framework, I think I have heard that point raised about every ColdFusion framework released since Fusebox came out ("We already have Fusebox, why do we need another framework?"). In this case, I think Neptune is quite a bit different from what is out there already. For one thing, all the other major frameworks route all requests through index.cfm and Neptune doesn't. Assuming I am not the only one who dislike this paradigm then it is worth offering it for that. For another, I think (keeping in mind that I am biased) that it is much easier than any other framework. Almost every time I read about how to something in another framework I think "It is easier than that for us". For anyone even a little curious, I would recommend reading the "Getting Started" section. It includes links to how to do the same thing in ModelGlue:Unity and in CFWheels. You can imagine it in other frameworks as well. See for yourself which you think is easier. http://www.bryantwebconsulting.com/docs/neptune/installation.cfm I'm not trying to knock other frameworks here ("easier" often depends on the problems being solved, for example) - just to point out that I think Neptune does have something different to offer than what exists already. Thanks, Steve >Steve, > >I'm personally not sure if yet another framework is needed, we have quite a >few now from simple (cfwheels or FW/1) for all singing all dancing OOP >behemoths (ColdBox) but kudos for trying and I hope it works out for you. >While I think all these security concerns are valid, and it would be gr8 if >your framework handled these automatically, I think perhaps other are being >a bit harsh and jumping on your back a bit quick. I wonder if the other >frameworks and popular open source apps have been scrutinised like this and >cover all these security bases and are this secure, I wouldn't like to bet >any money on it, and I certainly know that some of the ones I have used >really do little more than use CFPARAM or CFQUERYPARAM to protect against >injection, and there is certainly no consideration for the temp file >execution scenario. I have not read the entire conversation so I do not know >the context of the file uploads inside webroot, but if this is only for >installation/setup then I would not consider this a security concern as only >the admin will be doing this and then presumably this feature will be >disabled anyway. >The most popular apps in the world with web based installers do not even >cater for this scenario, such as wordpress for example, they simply make >sure that the installer/setup no longer works once you have completed the >process so that a hacker cannot get in and mess with your site. >If that is not the context for this issue and it is uploads in general, then >I guess that is a moot point. > > >-- >Russ Michaels >www.cfmldeveloper.com - Supporting the CF community since 1999 >FREE ColdFusion/Railo hosting for developers. > >blog: www.michaels.me.uk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340470 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm