> I hope nobody takes offense at this question it is, > however, a reasonable question from the bigger > perspective of running a company... > > Does anyone at MM ever check the custom tags posted > to the gallery or at MindTool check the UDFs posted > to CFLIB for security flaws, hack code, etc? > > Again, to everyone on the list in general, I've never > once had any contact with anyone in the CF community > where there was a problem of this nature - it's just > that the potential risks are huge for anyone downloading > a server level tag to speed up site-deployment. My > company has made use of several over the years and we > don't always have the technical ability in-house to > analyze them before deployment...
While Ray does look over the UDFs that get posted on cflib.org, as he mentioned, in the end, you're responsible for any code that you run on your server. If it's commercial code, the fact that you're paying for it meets your due diligence test and gives you someone else to blame for security problems, but beyond that there are no guarantees, really. Fortunately, it's really impractical to put "hack code" in a CFML custom tag or UDF, since they don't run as separate programs that could be invoked by an outside user, and the code is pretty easy to look over, generally. However, I'd guess that there are all kinds of "security flaws", in the sense that any unvalidated input might cause harm somewhere in your program, and generally, many CF programmers just aren't that particular about input validation. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
