> Had I been using FormURL2Attributes a direct call through the
> URL to that circuit the application would rescope the variables
> in the URL and allow un authorized users to invoke methods on
> an object (ex: accept an offer on behalf of another user).
>
> I use formURL2Attributes sometimes but only when I require that
> functionality. Not in my app_globals where it could be security
> risk.
I protect from this kind of 'hacks' by using this code:
<cfif IsDefined("ThisTag") AND IsStruct(ThisTag)>
<!--- Default values, if app is used as <cfmodule> --->
<cfelse>
<!--- Set explicitly if app is not used as <cfmodule> (disables URL
hacks) --->
</cfif>
So I think this would do the trick for <cf_formURL2attributes> in your
case:
<cfif NOT (IsDefined("ThisTag") AND IsStruct(ThisTag))>
<cf_formURL2attributes>
</cfif>
Erki
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
