Russ,
Thanks for your comment and encouragement.
The scrutiny is certainly valid. I don't think the problem is as serious as it
first appeared, but it is with regard to all uploaded files handled by the
framework so it is a pretty significant area of concern and definitely
something I am glad to have others help me think through.
As to the "need" for another framework, I think I have heard that point raised
about every ColdFusion framework released since Fusebox came out ("We already
have Fusebox, why do we need another framework?"). In this case, I think
Neptune is quite a bit different from what is out there already.
For one thing, all the other major frameworks route all requests through
index.cfm and Neptune doesn't. Assuming I am not the only one who dislike this
paradigm then it is worth offering it for that.
For another, I think (keeping in mind that I am biased) that it is much easier
than any other framework. Almost every time I read about how to something in
another framework I think "It is easier than that for us".
For anyone even a little curious, I would recommend reading the "Getting
Started" section. It includes links to how to do the same thing in
ModelGlue:Unity and in CFWheels. You can imagine it in other frameworks as
well. See for yourself which you think is easier.
http://www.bryantwebconsulting.com/docs/neptune/installation.cfm
I'm not trying to knock other frameworks here ("easier" often depends on the
problems being solved, for example) - just to point out that I think Neptune
does have something different to offer than what exists already.
Thanks,
Steve
>Steve,
>
>I'm personally not sure if yet another framework is needed, we have quite a
>few now from simple (cfwheels or FW/1) for all singing all dancing OOP
>behemoths (ColdBox) but kudos for trying and I hope it works out for you.
>While I think all these security concerns are valid, and it would be gr8 if
>your framework handled these automatically, I think perhaps other are being
>a bit harsh and jumping on your back a bit quick. I wonder if the other
>frameworks and popular open source apps have been scrutinised like this and
>cover all these security bases and are this secure, I wouldn't like to bet
>any money on it, and I certainly know that some of the ones I have used
>really do little more than use CFPARAM or CFQUERYPARAM to protect against
>injection, and there is certainly no consideration for the temp file
>execution scenario. I have not read the entire conversation so I do not know
>the context of the file uploads inside webroot, but if this is only for
>installation/setup then I would not consider this a security concern as only
>the admin will be doing this and then presumably this feature will be
>disabled anyway.
>The most popular apps in the world with web based installers do not even
>cater for this scenario, such as wordpress for example, they simply make
>sure that the installer/setup no longer works once you have completed the
>process so that a hacker cannot get in and mess with your site.
>If that is not the context for this issue and it is uploads in general, then
>I guess that is a moot point.
>
>
>--
>Russ Michaels
>www.cfmldeveloper.com - Supporting the CF community since 1999
>FREE ColdFusion/Railo hosting for developers.
>
>blog: www.michaels.me.uk
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340470
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
