Dusty,
No apology needed, we all do things we look back upon and wish we had
done differently.
FWIW, if you are just validating the value is reasonable you're
good. HTTP Response Splitting is a PITA, honestly, and in my mind
not terribly high risk, but its something to think about when you put
user-supplied data into any headers.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"[U]nconstitutional behavior by the authorities is constrained only
by the peoples' willingness to contest them"
--John Perry Barlow
On Aug 8, 2007, at 4:18 PM, Dusty Hale wrote:
Yes I am validating everything but only sent a very small piece of
the code.
There is additional code before it even gets that far that verify
that the
user is logged in, who they are, what they have permission to, and
that they
actually purchased the file as well as a "FileExists" check using the
#application.path_audio##url.donorid#.mp3. But they have to get
through all
the other checks before the cfcontent even runs. Is that what you
meant
validating?
Hopefully this is secure enough for the balance of security decisions.
On another note. Dean you are a cool guy. Even though I once left a
negative
comment about one of your threads, you continue to respond to my
issues with
good useful advice. I have thought long and hard about that comment
I left
inspired by your disagreements with Robert (I think that was his
name) and I
say here and now, I was wrong to leave that comment and officially
retract
it. I think I was temporarily impaired by other problems going on
and have
learned a big lesson from it. That is not to react emotionally to
things of
that nature or issues which I might not be aware of all the details. I
officially apologize and hope you forgive me for it.
Kindest regards,
Dusty
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Wednesday, August 08, 2007 2:35 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] strange issue with cfcontent
FYI, your new code is subject to HTTP Response Splitting if you're not
validating the value of URL.donorid.
http://en.wikipedia.org/wiki/Http_response_splitting
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Free speech exercised both individually and through a free press,
is a
necessity in any country where people are themselves free."
-- Theodore Roosevelt, 1918
On Aug 8, 2007, at 1:48 PM, Dusty Hale wrote:
I changed my code but the same thing happens. The download gets cut
off (occasionally they work) or stuck. Tested on several computers
behind different networks. Internet connectivity is pretty much
officially ruled out ...
The behavior is like the download gets stuck at 1.something mb for a
5.22mb file. After some time the download closes like it is complete
(automatically) and we end up with an incomplete audio file. So
strange ...
I wonder if it could be a "RequestTimeOut" thing or something.
This is the code I'm now using (changed per feedback I received).
Notice the
content-disposition is now "attachment" and the mime type is set to
"audio/mpeg". Didn't seem to help.
<cftry>
<CFHEADER NAME="Content-Disposition" VALUE="attachment;
filename=audio_#url.donorid#.mp3">
<cfcontent file="#application.path_audio##url.donorid#.mp3"
type="audio/mpeg">
<cfcatch>
<span style="color: red">There was a problem
downloading the file.
The file name may be missing from the server. Please
alert the website administrator.</span>
<cfabort>
</cfcatch>
</cftry>
Any thought as to possible reasons the downloads are getting cut off
would be greatly appreciated.
D
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven
Ross
Sent: Wednesday, August 08, 2007 1:02 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] strange issue with cfcontent
cfcontent is designed to do exactly what you are doing. If you are
seeing it cut off the download that is definately unexpected. I would
definately try changing the content disposition to attachment.
On 8/8/07, Dusty Hale <[EMAIL PROTECTED]> wrote:
Also could it be that cfcontent is not such a good approach for
doing
what I described. Basically keeping the files out of the webroot for
security. Is there another better approach. Maybe create a process
that temporarily creates a folder and copy of the file for a normal
direct link to download and then wipe it off after a time. That was
just a
quick thought.
Dusty
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven
Ross
Sent: Wednesday, August 08, 2007 12:46 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] strange issue with cfcontent
doh, shoulda caught that... there still may be issues with it
depending on the users browser settings. We have seen quicktime do
some funky stuff with forcing the playing of an mp3 in the browser
instead of downloading the file.
On 8/8/07, Justin Haygood <[EMAIL PROTECTED]> wrote:
Normally.. using "attachment" instead of "inline" in the
Content-Disposition header.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dusty
Hale
Sent: Wednesday, August 08, 2007 12:31 PM
To: discussion@acfug.org
Subject: [ACFUG Discuss] strange issue with cfcontent
I've recently run into a rather strange issue with the use of
cfcontent (I think). Here is a description of what is happening:
1. cfcontent is used to serve downloadable audio and video files
that reside outside of the webroot. This of course is for security
reasons being that the users have to purchase the files. A common
technique I've used successfully in the past.
2. The files being downloaded don't seem to always come through
complete and it's almost like the download is being cut off for
some
reason. Sometimes it works, sometime it doesn't.
3. It almost seems like client connectivity issues and I was
convinced of that until it started happening to me when testing and
now user's of the site report the same thing including the "client"
(not client machine but my client).
4. I used Adobe connect this morning to share screens with my
client
this morning so I see hands on the problem on their computer and
saw
something else really strange. She was clicking to download the
file, the file open in Windows Media rather than a normal download
(I assume this was set up as her default player for mp3 files). I
asked her to right click and choose "Save Target As" to ensure she
was actually
downloading it and not streaming it.
This always works fine for me but when she does that, it then
downloads the .cfm file rather than the mp3 file (I can't reproduce
that
on my machine).
She is using Windows 2000 OS.
5. The site is hosted on a shared server at HostMySite.com. HMS
support seemed to think the server it was on maybe was low on cf
resources and that cfcontent was putting together bad files for
downloads. Again sometime the downloads work fine, sometimes they
don't. We moved the site to a different server they said had plenty
of CF resources. However, this did not solve the problem and it
continues to happen on the new server
I've now spent several days troubleshooting and am getting nowhere
:(.
If someone has any insight as to why this might be happening,
please
share. I think some discussions on the use of cfcontent for secure
downloads is probably a good topic for discussion anyway. Proper
ways to successfully do it?
Last but not least here is a code example from my app:
<cftry>
<CFHEADER NAME="Content-Disposition" VALUE="inline;
filename=audio_#url.donorid#.mp3">
<cfcontent
file="#application.path_audio##url.donorid#.mp3"
type="application/unknown">
<cfcatch>
<span style="color: red">There was a problem downloading the
file.
The file name may be missing from the server. Please alert the
website administrator.</span>
<cfabort>
</cfcatch>
</cftry>
Also one other thing. Is there a way to use cfcontent so that it
forces an audio or video file to actually download to a selected
location. When user's default media players are set up for mp3, it
generally just opens the file and starts playing. I want to somehow
ensure that the file is fully downloaded to a selected area (that
the user selects) before they start playing it and getting
confused.
In other
words, a "normal download" file.
Hope that doesn't seem confusing.
I greatly look forward to discussing and/or hearing any feedback on
the issue.
Regards to everyone,
Dusty
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
--
Steven Ross
web application & interface developer http://www.zerium.com [mobile]
404-488-4364 [fax] 267-482-4364
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
--
Steven Ross
web application & interface developer
http://www.zerium.com
[mobile] 404-488-4364
[fax] 267-482-4364
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
