Re: use of CSP:INCLUDE

[Nuno Canas]

Well,
in my opinion ServeFiles can be a security issue as much as any http server.
The <CSP:include> tag is followed by "Page=" parameter.
For me it makes sense if "Page" is the parameter to just serve csp or 
class files.
Of course my suggestion is that in further releases This parameter could 
be expanded to Page or File. Being Page (cls/csp) and File (any extension).
This prevents any security issue and everything is controled by the 
application.

Nuno
Peter Cooper wrote:
Kev
I have not tried this but comments are ......
This will sort of work if the included files are just static JS or
HTML - the file is just played out
What it does not do is compile the included file into a csp class
so no #()# <script language="cache" etc etc will work
Whereas <csp:include> compiles into a fully paid up csp page
Gertjan
I cannot see that serve files is such a big security issue - it's all
controllled server side in the csp app - so if the app does not do
stuff then it wont happen
also it's more secure 
consider if you have a library of PDF or whatever files that you only
want people so see if they are logged on

if you include a <a href="some file.pdf"> then they could hack the
file directly without being logged on
with serve files="yes" you can put the library in a directory visible
to Cache but invisible to the web
so the only way to get to the files is thru a logged on csp page
or am I missing something?????
Peter

On Wed, 28 Jul 2004 22:57:18 +0100, kevin furze <[EMAIL PROTECTED]>
wrote:

I have had a private email from one of the support staff at 
intersystems asking me to check a setting. the setting is in the cache 
cube, 

      CONFIGURATION MANAGER 
            CSP
                  APPLICATIONS
                        thePackageName
                              "Serve Files"

it is the " Serve Files " setting that controls the problem.
set this option to YES, activate the changes and hey presto, the files 
" .INC " now works set it to NO and ONLY the " .CSP " files work.

so be aware of this setting, 

I must hold my hand up and say "perhaps its me",  - I can't be sure, I 
assume it is my fault - either way, we now have a solution. 
the use of " .CSP" extensions are guarranteed to work regardless of 
the setting, but ( I assume ) ALL other file extensions will be 
IGNORED if the setting is "NO" 

Thanks you "Mr Support Man"  - you know who you are    ;-}
kev