Gentlemen, Thank you for all your help in resolving this matter. I plan to do some tests to determine which method of those provide is the most efficient. Currently, my cfmail blasts need to reach audiences upwards of 200,000 and performance, as well as security, are both real issues. I do however have a lot of control over what content is being emailed - I don't think I need to be concerned with embedded ColdFusion markup.
Thanks again - - Seth -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron DC Sent: Saturday, June 10, 2006 1:04 AM To: CFCDev@cfczone.org Subject: Re: [CFCDev] Avoiding Evaluate While Using CFMAIL At a quick glance, I would say yes, your tests look like they would cover any intentionally evil behaviour. It may not be straightforward to test for this, however. eg: < cfquery name="test" datasource="cfbookclub" maxrows="1"> select * from books < / cfquery> is a legitimate / legal cfml construct. The original post has been answered. Before we go any further, I feel the original poster should supply us with more information / background to the system in question. I'm very pleased to have CF7 up and running tho. If only I could get a SQL Server (MSDE) datasource to register... Aaron Nando wrote: > So maybe the way around the risk is to simply check to make sure that > every #variable# in HTMLBody agrees with your list of intended > variables, and that HTMLBody doesn't include "<cf". That's pretty > easy, no? Would that cover it, Aaron? > > > Aaron DC wrote: >> I agree, writing code to an include file does present a security >> risk. However: >> 1. the original poster asked how to replace evaluate(de()) - this has >> been done, albeit in an unsecure fashion >> 2. no mention was made or sought as to how the original HTMLBody >> variable was created. I assumed it was internal >> (authenticated,trustworthy) users and there would not be any inherent >> security risk. >> 3. agreed, I should have stated the obvious security risk present >> within the solution offered. >> 4. evaluate(de()) can also be dangerous: >> eg: replace the original HTMLBody with the following >> >> <cfset HTMLBody = " >> ##title## >> Current server var list: ##structkeylist(server)## | >> O/S: ##server.os.name## | >> Boot.ini sections: ##iif(server.os.name contains 'windows', >> de(structkeylist(GetProfileSections('c:\boot.ini'))), de('linux'))## | >> Set a var: ##setvariable('session.test', 'Hacked')## | >> Current session var list: ##structkeylist(session)## | >> Current application var list: ##structkeylist(application)## | >> Current variables: ##structkeylist(variables)## | >> Change a var: ##setvariable('session.test', 'again')## >> "> >> >> regards >> Aaron >> >> Chris Stoner wrote: >>> While this is a very simple way to implement your solution its a >>> fairly large security risk. Anything inside that mail.inc now >>> becomes cold fusion code that a clever user could do all sorts of >>> nasty things with. By setting up the mail body with any kind of >>> malicious code (cfexecute, cfregistry, cffile deletes, sql drops, >>> etc.) the user can then execute it by sending an email. >>> >>> You are better off just using the {{ variable name }} idea. While >>> its more work for the developer and more limiting for the user its a >>> much safer solution. >>> >>> -- Chris Stoner >>> >>> On 6/9/06, *Aaron DC* <[EMAIL PROTECTED] >>> <mailto:[EMAIL PROTECTED]>> wrote: >>> >>> When your HTMLBody variable is created, save its contents to a >>> file (eg: >>> mail.inc) with the cfmail tag wrapped around it. I am guessing the >>> HTMLBody variable is statically dynamic ie can be changed but >>> probably >>> isn't changed all that much. You will then end up with the >>> following: >>> >>> mailit.cfm: >>> <cfset var campaign = GetCampaign() /> >>> <cfinclude template="mail.inc"> >>> >>> mail.inc >>> >>> <cfmail query="recipients" >>> >>> to="#recipients.email#" >>> >>> from="#Campaign.GetEmailFrom()# (#Campaign.GetEmailFromAlias()#)" >>> >>> subject="Campaign ## #campaign.GetCampaignID()#" >>> >>> failto="#Campaign.GetEmailFailTo()#" >>> >>> mailerid="Summit Projects, Inc. " >>> >>> type="HTML"> >>> >>> #Email# >>> >>> #FirstName# #LastName# >>> #CompanyName# >>> >>> #AddressLine1# >>> etc >>> </cfmail> >>> >>> NB: The cfmail (or cfoutput, etc) tags are required to force CF to >>> process the variables. Just including a file of #<somevar># >>> variables >>> will not work. >>> Your question prompted me to abandon my broken CF 6 media and >>> download, >>> install and configure CF7, so no beers necessary if this solution >>> helps :-) >>> >>> HTH >>> Aaron >>> >>> >>> >>> Seth MacPherson wrote: >>> > >>> > Hello all, >>> > >>> > I have some code that sends email to a list of recipients but I'm >>> > having trouble and I'd love some advice. >>> > >>> > <cfset var campaign = GetCampaign() /> >>> > >>> > <cfmail query="recipients" >>> > >>> > to="#recipients.email#" >>> > >>> > from="#Campaign.GetEmailFrom()# (#Campaign.GetEmailFromAlias()#)" >>> > >>> > subject="Campaign ## #campaign.GetCampaignID()#" >>> > >>> > failto="#Campaign.GetEmailFailTo()#" >>> > >>> > mailerid="Summit Projects, Inc. " >>> > >>> > type="HTML"> >>> > >>> > #HTMLBody# >>> > >>> > </cfmail> >>> > >>> > When I execute the (above) code it works, sort of. It sends >>> email just >>> > as expected except for one thing, the message looks like this >>> (forgive >>> > the lame content - it's just test material) >>> > >>> > BEGIN CUSTOM FIELDS >>> > #Email# >>> > >>> > #FirstName# >>> > >>> > #LastName# >>> > >>> > #CompanyName# >>> > >>> > #AddressLine1# >>> > >>> > #AddressLine2# >>> > >>> > #AddressLine3# >>> > >>> > #City# >>> > >>> > #StateProvince# >>> > >>> > #PostalCode# >>> > >>> > #Country# >>> > >>> > #MailFormat# >>> > >>> > #BLAMMO# >>> > >>> > #CRAMMO# >>> > >>> > #FLAMMO# >>> > >>> > #SLAMMO# >>> > >>> > #WHAMMO# >>> > >>> > As you might have guessed, the fields above are all variables >>> that >>> > need to be populated from the query but are actually the >>> content of >>> > the HTMLBody variable. After fooling around with it for a while I >>> > found that using Evaluate(DE(HTMLBody)) properly replaces the CF >>> > variables with the appropriate query data. Good grief. I hate >>> using >>> > Evaluate, let alone Evaluate coupled with DE. >>> > >>> > Can I get some advice on how I could avoid using either >>> Evaluate, DE, >>> > or both altogether? >>> > >>> > Thanks in advance. >>> > >>> > I shiny bottle of beer at CFUnited to the person who tackles the >>> beast. >>> > >>> > **Seth ***MacPherson** >>> > *Application Developer >>> > 101.5 OAK STREET >>> > HOOD RIVER, OR 97031 >>> > 541.387.8883x246 (w) >>> > 360.241.8329 (c) >>> > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >>> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> >>> > >>> > ---------------------------------------------------------- >>> > You are subscribed to cfcdev. To unsubscribe, send an email to >>> > cfcdev@cfczone.org <mailto:cfcdev@cfczone.org> with the words >>> 'unsubscribe cfcdev' as the subject >>> > of the email. >>> > >>> > CFCDev is run by CFCZone (www.cfczone.org >>> <http://www.cfczone.org>) and supported by CFXHosting >>> > (www.cfxhosting.com <http://www.cfxhosting.com>). >>> > >>> > An archive of the CFCDev list is available at >>> > www.mail-archive.com/cfcdev@cfczone.org >>> <http://www.mail-archive.com/cfcdev@cfczone.org> >>> >>> >>> ---------------------------------------------------------- >>> You are subscribed to cfcdev. To unsubscribe, send an email to >>> cfcdev@cfczone.org <mailto:cfcdev@cfczone.org> with the words >>> 'unsubscribe cfcdev' as the subject of the email. >>> >>> CFCDev is run by CFCZone (www.cfczone.org >>> <http://www.cfczone.org>) and supported by CFXHosting ( >>> www.cfxhosting.com <http://www.cfxhosting.com>). >>> >>> An archive of the CFCDev list is available at >>> www.mail-archive.com/cfcdev@cfczone.org >>> <http://www.mail-archive.com/cfcdev@cfczone.org> >>> >>> >>> >>> ---------------------------------------------------------- >>> You are subscribed to cfcdev. To unsubscribe, send an email to >>> cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the >>> subject of the email. >>> >>> CFCDev is run by CFCZone (www.cfczone.org) and supported by >>> CFXHosting (www.cfxhosting.com). >>> >>> An archive of the CFCDev list is available at >>> www.mail-archive.com/cfcdev@cfczone.org >> >> >> ---------------------------------------------------------- >> You are subscribed to cfcdev. To unsubscribe, send an email to >> cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject >> of the email. >> >> CFCDev is run by CFCZone (www.cfczone.org) and supported by >> CFXHosting (www.cfxhosting.com). >> >> An archive of the CFCDev list is available at >> www.mail-archive.com/cfcdev@cfczone.org >> >> >> > > > -- > > <http://aria-media.com/> > > Aria Media Sagl > CP 234 > 6934 Bioggio > Switzerland > www.aria-media.com <http://aria-media.com/> > > ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). An archive of the CFCDev list is available at www.mail-archive.com/cfcdev@cfczone.org ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). An archive of the CFCDev list is available at www.mail-archive.com/cfcdev@cfczone.org
