Brett Payne-Rhodes wrote:
Good question Scott. I've wondered about this myself, even for .cfm files, and in general I put anything that is not explicitly executable into a non-web accessible directory and include of use it from there. In the case where I don't have that luxury, eg. client demands, etc, I put an application.cfm file in the same directory that simply redirects back to the 'proper' home directory. This has the effect that if someone (somehow) enters the explicit URL for a non-executable script like www.spidaweb.com/myApp/packages/module/blah.cfc then they get dropped straight back to www.spidaweb.com/myApp. And if you want to catch browsing to the directory then just add an index.cfm file that doesn't do anything (assuming index.cfm is a default file for your webserver).
Or am I off on another planet somewhere?
And I guess that doesn't actually answer your question... Basically I think the problem is that the code is being run out of context. These things generally expect to be 'called' from somewhere and you either build protection internally in each file to stop them being run that way or you protect the directory in which they reside.
Agreed, the Application.cfm can handle this, but yeah the only thing i can think of so far is:
- 1. If CFAdministrator dir is still installed it gives you access to the cfadmin pwd prompt (ie take some cracks at breaking the pwd etc)
- 2. Would allow peeps to hijack method calls ie.. blah.cfc?method=getMyDSN&argumentX=y
- 3. Lets them know too much about how the API is pulled together (ie reverse engineer? thats if directory browsing is on of course... but it shouldn't be..but that depends on our clients...
Of course in theory, the application.cfm within the /packages/ directory should disallow the above... but.. not 100% confident that is a plausable solution as won't the CFC's in the right context inherit the application.cfm redirects (ie unless you do some kind of referer interogation.
--- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/
