So maybe the way around the risk is to simply check to make sure that
every #variable# in HTMLBody agrees with your list of intended
variables, and that HTMLBody doesn't include "<cf". That's pretty
easy, no? Would that cover it, Aaron?
Aaron DC wrote:
I agree, writing code to an include file does present a
security risk. However:
1. the original poster asked how to replace evaluate(de()) - this has
been done, albeit in an unsecure fashion
2. no mention was made or sought as to how the original HTMLBody
variable was created. I assumed it was internal
(authenticated,trustworthy) users and there would not be any inherent
security risk.
3. agreed, I should have stated the obvious security risk present
within the solution offered.
4. evaluate(de()) can also be dangerous:
eg: replace the original HTMLBody with the following
<cfset HTMLBody = "
##title##
Current server var list: ##structkeylist(server)## |
O/S: ##server.os.name## |
Boot.ini sections: ##iif(server.os.name contains 'windows',
de(structkeylist(GetProfileSections('c:\boot.ini'))), de('linux'))## |
Set a var: ##setvariable('session.test', 'Hacked')## |
Current session var list: ##structkeylist(session)## |
Current application var list: ##structkeylist(application)## |
Current variables: ##structkeylist(variables)## |
Change a var: ##setvariable('session.test', 'again')##
">
regards
Aaron
Chris Stoner wrote:
While this is a very simple way to implement
your solution its a fairly large security risk. Anything inside that
mail.inc now becomes cold fusion code that a clever user could do all
sorts of nasty things with. By setting up the mail body with any kind
of malicious code (cfexecute, cfregistry, cffile deletes, sql drops,
etc.) the user can then execute it by sending an email.
You are better off just using the {{ variable name }} idea. While its
more work for the developer and more limiting for the user its a much
safer solution.
-- Chris Stoner
On 6/9/06, *Aaron DC* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
When your HTMLBody variable is created, save its contents to a
file (eg:
mail.inc) with the cfmail tag wrapped around it. I am guessing the
HTMLBody variable is statically dynamic ie can be changed but
probably
isn't changed all that much. You will then end up with the
following:
mailit.cfm:
<cfset var campaign = GetCampaign() />
<cfinclude template="mail.inc">
mail.inc
<cfmail query="recipients"
to="#recipients.email#"
from="#Campaign.GetEmailFrom()# (#Campaign.GetEmailFromAlias()#)"
subject="Campaign ## #campaign.GetCampaignID()#"
failto="#Campaign.GetEmailFailTo()#"
mailerid="Summit Projects, Inc. "
type="HTML">
#Email#
#FirstName# #LastName#
#CompanyName#
#AddressLine1#
etc
</cfmail>
NB: The cfmail (or cfoutput, etc) tags are required to force CF to
process the variables. Just including a file of #<somevar>#
variables
will not work.
Your question prompted me to abandon my broken CF 6 media and
download,
install and configure CF7, so no beers necessary if this solution
helps :-)
HTH
Aaron
Seth MacPherson wrote:
>
> Hello all,
>
> I have some code that sends email to a list of recipients but
I'm
> having trouble and I'd love some advice.
>
> <cfset var campaign = GetCampaign() />
>
> <cfmail query="recipients"
>
> to="#recipients.email#"
>
> from="#Campaign.GetEmailFrom()#
(#Campaign.GetEmailFromAlias()#)"
>
> subject="Campaign ## #campaign.GetCampaignID()#"
>
> failto="#Campaign.GetEmailFailTo()#"
>
> mailerid="Summit Projects, Inc. "
>
> type="HTML">
>
> #HTMLBody#
>
> </cfmail>
>
> When I execute the (above) code it works, sort of. It sends
email just
> as expected except for one thing, the message looks like this
(forgive
> the lame content – it's just test material)
>
> BEGIN CUSTOM FIELDS
> #Email#
>
> #FirstName#
>
> #LastName#
>
> #CompanyName#
>
> #AddressLine1#
>
> #AddressLine2#
>
> #AddressLine3#
>
> #City#
>
> #StateProvince#
>
> #PostalCode#
>
> #Country#
>
> #MailFormat#
>
> #BLAMMO#
>
> #CRAMMO#
>
> #FLAMMO#
>
> #SLAMMO#
>
> #WHAMMO#
>
> As you might have guessed, the fields above are all variables
that
> need to be populated from the query but are actually the
content of
> the HTMLBody variable. After fooling around with it for a
while I
> found that using Evaluate(DE(HTMLBody)) properly replaces the
CF
> variables with the appropriate query data. Good grief. I hate
using
> Evaluate, let alone Evaluate coupled with DE.
>
> Can I get some advice on how I could avoid using either
Evaluate, DE,
> or both altogether?
>
> Thanks in advance.
>
> I shiny bottle of beer at CFUnited to the person who tackles
the
beast.
>
> **Seth ***MacPherson**
> *Application Developer
> 101.5 OAK STREET
> HOOD RIVER, OR 97031
> 541.387.8883x246 (w)
> 360.241.8329 (c)
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
<mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
>
> ----------------------------------------------------------
> You are subscribed to cfcdev. To unsubscribe, send an email to
> cfcdev@cfczone.org <mailto:cfcdev@cfczone.org> with the
words
'unsubscribe cfcdev' as the subject
> of the email.
>
> CFCDev is run by CFCZone (www.cfczone.org
<http://www.cfczone.org>) and supported by CFXHosting
> (www.cfxhosting.com <http://www.cfxhosting.com>).
>
> An archive of the CFCDev list is available at
> www.mail-archive.com/cfcdev@cfczone.org
<http://www.mail-archive.com/cfcdev@cfczone.org>
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to
cfcdev@cfczone.org <mailto:cfcdev@cfczone.org> with the words
'unsubscribe cfcdev' as the subject of the email.
CFCDev is run by CFCZone (www.cfczone.org
<http://www.cfczone.org>) and supported by CFXHosting (
www.cfxhosting.com <http://www.cfxhosting.com>).
An archive of the CFCDev list is available at
www.mail-archive.com/cfcdev@cfczone.org
<http://www.mail-archive.com/cfcdev@cfczone.org>
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to
cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject
of the email.
CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting
(www.cfxhosting.com).
An archive of the CFCDev list is available at
www.mail-archive.com/cfcdev@cfczone.org
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to
cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject
of the email.
CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting
(www.cfxhosting.com).
An archive of the CFCDev list is available at
www.mail-archive.com/cfcdev@cfczone.org
--
|
