I agree, writing code to an include file does present a security risk.
However:
1. the original poster asked how to replace evaluate(de()) - this has
been done, albeit in an unsecure fashion
2. no mention was made or sought as to how the original HTMLBody
variable was created. I assumed it was internal
(authenticated,trustworthy) users and there would not be any inherent
security risk.
3. agreed, I should have stated the obvious security risk present within
the solution offered.
4. evaluate(de()) can also be dangerous:
eg: replace the original HTMLBody with the following
<cfset HTMLBody = "
##title##
Current server var list: ##structkeylist(server)## |
O/S: ##server.os.name## |
Boot.ini sections: ##iif(server.os.name contains 'windows',
de(structkeylist(GetProfileSections('c:\boot.ini'))), de('linux'))## |
Set a var: ##setvariable('session.test', 'Hacked')## |
Current session var list: ##structkeylist(session)## |
Current application var list: ##structkeylist(application)## |
Current variables: ##structkeylist(variables)## |
Change a var: ##setvariable('session.test', 'again')##
">
regards
Aaron
Chris Stoner wrote:
While this is a very simple way to implement your solution its a
fairly large security risk. Anything inside that mail.inc now becomes
cold fusion code that a clever user could do all sorts of nasty things
with. By setting up the mail body with any kind of malicious code
(cfexecute, cfregistry, cffile deletes, sql drops, etc.) the user can
then execute it by sending an email.
You are better off just using the {{ variable name }} idea. While its
more work for the developer and more limiting for the user its a much
safer solution.
-- Chris Stoner
On 6/9/06, *Aaron DC* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
When your HTMLBody variable is created, save its contents to a
file (eg:
mail.inc) with the cfmail tag wrapped around it. I am guessing the
HTMLBody variable is statically dynamic ie can be changed but probably
isn't changed all that much. You will then end up with the following:
mailit.cfm:
<cfset var campaign = GetCampaign() />
<cfinclude template="mail.inc">
mail.inc
<cfmail query="recipients"
to="#recipients.email#"
from="#Campaign.GetEmailFrom()# (#Campaign.GetEmailFromAlias()#)"
subject="Campaign ## #campaign.GetCampaignID()#"
failto="#Campaign.GetEmailFailTo()#"
mailerid="Summit Projects, Inc. "
type="HTML">
#Email#
#FirstName# #LastName#
#CompanyName#
#AddressLine1#
etc
</cfmail>
NB: The cfmail (or cfoutput, etc) tags are required to force CF to
process the variables. Just including a file of #<somevar># variables
will not work.
Your question prompted me to abandon my broken CF 6 media and
download,
install and configure CF7, so no beers necessary if this solution
helps :-)
HTH
Aaron
Seth MacPherson wrote:
>
> Hello all,
>
> I have some code that sends email to a list of recipients but I'm
> having trouble and I'd love some advice.
>
> <cfset var campaign = GetCampaign() />
>
> <cfmail query="recipients"
>
> to="#recipients.email#"
>
> from="#Campaign.GetEmailFrom()# (#Campaign.GetEmailFromAlias()#)"
>
> subject="Campaign ## #campaign.GetCampaignID()#"
>
> failto="#Campaign.GetEmailFailTo()#"
>
> mailerid="Summit Projects, Inc. "
>
> type="HTML">
>
> #HTMLBody#
>
> </cfmail>
>
> When I execute the (above) code it works, sort of. It sends
email just
> as expected except for one thing, the message looks like this
(forgive
> the lame content – it's just test material)
>
> BEGIN CUSTOM FIELDS
> #Email#
>
> #FirstName#
>
> #LastName#
>
> #CompanyName#
>
> #AddressLine1#
>
> #AddressLine2#
>
> #AddressLine3#
>
> #City#
>
> #StateProvince#
>
> #PostalCode#
>
> #Country#
>
> #MailFormat#
>
> #BLAMMO#
>
> #CRAMMO#
>
> #FLAMMO#
>
> #SLAMMO#
>
> #WHAMMO#
>
> As you might have guessed, the fields above are all variables that
> need to be populated from the query but are actually the content of
> the HTMLBody variable. After fooling around with it for a while I
> found that using Evaluate(DE(HTMLBody)) properly replaces the CF
> variables with the appropriate query data. Good grief. I hate using
> Evaluate, let alone Evaluate coupled with DE.
>
> Can I get some advice on how I could avoid using either
Evaluate, DE,
> or both altogether?
>
> Thanks in advance.
>
> I shiny bottle of beer at CFUnited to the person who tackles the
beast.
>
> **Seth ***MacPherson**
> *Application Developer
> 101.5 OAK STREET
> HOOD RIVER, OR 97031
> 541.387.8883x246 (w)
> 360.241.8329 (c)
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
<mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
>
> ----------------------------------------------------------
> You are subscribed to cfcdev. To unsubscribe, send an email to
> cfcdev@cfczone.org <mailto:cfcdev@cfczone.org> with the words
'unsubscribe cfcdev' as the subject
> of the email.
>
> CFCDev is run by CFCZone (www.cfczone.org
<http://www.cfczone.org>) and supported by CFXHosting
> (www.cfxhosting.com <http://www.cfxhosting.com>).
>
> An archive of the CFCDev list is available at
> www.mail-archive.com/cfcdev@cfczone.org
<http://www.mail-archive.com/cfcdev@cfczone.org>
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to
cfcdev@cfczone.org <mailto:cfcdev@cfczone.org> with the words
'unsubscribe cfcdev' as the subject of the email.
CFCDev is run by CFCZone (www.cfczone.org
<http://www.cfczone.org>) and supported by CFXHosting (
www.cfxhosting.com <http://www.cfxhosting.com>).
An archive of the CFCDev list is available at
www.mail-archive.com/cfcdev@cfczone.org
<http://www.mail-archive.com/cfcdev@cfczone.org>
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to
cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject
of the email.
CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting
(www.cfxhosting.com).
An archive of the CFCDev list is available at
www.mail-archive.com/cfcdev@cfczone.org
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to
cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the
email.
CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting
(www.cfxhosting.com).
An archive of the CFCDev list is available at
www.mail-archive.com/cfcdev@cfczone.org
