Why not just use a structure that translates the fuseaction to the
"meaninless" text", and then all you have to do is change the values in the
structure. You could even load up the structure from your DB!
For example:
In app_globals.cfm do this:
<CFSCRIPT>
FuseActions=StructNew();
StructInsert(FuseActions, "main", "ehaldllflad");
StructInsert(FuseActions, "insert_new", "dkkgkakdkaksdf");
StructInsert(FuseActions, "delete_job", "dkgkgfksdkwektkvfkf");
StructInsert(FuseActions, "check_security", "aksdfa;lsdfkj");
StructInsert(FuseActions, "update_job", "jkjj3j12j4jrjsj");
</CFSCRIPT>
In your code/pages when you want to go to a fuse action, do this:
<a href="index.cfm?FuseAction=#FuseActions.main#">Go Home</a>
OR
<CFLOCATION url="test.cfm?FuseAction=#FuseActions.main#">
In your index.cfm, do this:
<CFSWITCH expression="#Attributes.FuseAction#">
<CFCASE value="#FuseAction.main#">
do main menu stuff
</cfcase>
</cfswitch>
At 12:56 PM 11/29/00 -0900, [EMAIL PROTECTED] wrote:
>I think its a great idea! I've toyed with doing such a thing, but never got
>off my duff and wrote it.
>
>I was thinking of something where you'd have a db table storing clear
>fuseaction names, and hashed names. Tie it to another app that would, on
>nightly scheduled basis, generate new hashes, and go through every CF
>template, doing a find/replace for the old hashes with the new hashes. This
>way your window of vulnerability would be cut down to one day, were a
>fuseaction to be compromised.
>
>I think that with Fusebox, these types of security measures can be made very
>easy to implement, seeing how every client request passes through index.cfm.
>Something like this could be cleaned up into a very tight security model,
>and included in a future Fusebox book, I think...
>
>Alan McCollough
>Web Programmer
>Allaire Certified ColdFusion Developer
>Alaska Native Medical Center
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> > Sent: Wednesday, November 29, 2000 10:19 AM
> > To: Fusebox
> > Subject: Encrypting FuseActions
> >
> > A co-worker and I came up with this possible tool to conceal the names of
> > FuseActions, for even heightened security for the paranoid. It consists of
> >
> > a custom tag to create a structure containing FuseActions and their
> > encrypted values, and a line to decrypt the passed FuseAction.
> >
> > I haven't tested this code yet, we just whipped it up real quick and I
> > wanted to see what y'all thought of the idea - any merit?
> >
> > <!--- Source of CF_SETFUSEACTIONS: --->
> >
> > <CFPARAM NAME="Attributes.FuseActions" DEFAULT="">
> > <CFPARAM NAME="Attributes.Key" DEFAULT="KermitTheFrog">
> > <CFPARAM NAME="Attributes.Return" DEFAULT="S_FuseActions">
> >
> > <CFSET S_FuseActions = StructNew()>
> >
> > <CFLOOP LIST="#Attributes.FuseActions#" INDEX="FuseAction">
> > <CFSET SetVariable("S_FuseActions.#FuseAction#", Encrypt(FuseAction,
> >
> > Attributes.Key))>
> > </CFLOOP>
> >
> > <CFSET SetVariable("Caller.#Attributes.Return#", S_FuseActions)>
> >
> > <!--- In the calling template: --->
> >
> > <CF_SETFUSEACTIONS FUSEACTIONS="Login,Logout,Display" KEY="MyKey">
> >
> > <CFOUTPUT><A
> > HREF="default.cfm?F=#S_FuseActions.Login#">Login</A></CFOUTPUT>
> >
> > <!--- At the top of the FuseBox (index.cfm) or app_globals.cfm : --->
> >
> > <CFSET Attributes.FuseAction = Decrypt(Attributes.F,
> > Application.FuseActionKey)>
> >
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
