Ok the original Try/Catch patch stuff is in SVN now and passes unit tests. I'm not 100% sure how the exceptions will help someone profile the code, wouldn't debugging have too be on to get the messages? Or a nefarious individual would have to have access to the exception logs, which would mean they already have escalated privileges sufficiently to retrieve that information?
I'm going to leave this in SVN the way it is now, (with the fixed sandbox thingy) and we'll talk further about how to maintain functionality and preserve security. We definitely want to pay attention to security and do all we can to ensure we do not leak information unnecessarily. DW On Fri, Sep 18, 2009 at 8:25 AM, Chris Blackwell <[email protected]> wrote: > Dan, > > If I turn on cf debugging I now get a few access denied exceptions along > with the usual coldspring property does not exist exceptions. I've attached > them so you can see which filepath's its failing on. > I'm not sure what the expected behaviour of fileExists() is when trying to > verify a file outside the sandbox, but my feeling is that a runtime > exception would be the correct thing for CF to do. Otherwise you could use > it to probe the structure of a server and find security exploits. > > Cheers, Chris > > > 2009/9/18 Dan Wilson <[email protected]> > >> Thanks Chris, >> >> Lemme see if I can integrate and do integration testing before I have to >> head out this morning. I'll report back in a half hour. >> >> DW >> >> >> On Fri, Sep 18, 2009 at 6:44 AM, Chris Blackwell <[email protected]>wrote: >> >>> Ok, >>> When ModelGlue loads it attempts to see if certain config files exist >>> based on a relative path before calling expandpath() and trying again, for >>> example >>> fileExists("/ModelGlue/gesture/configuration/ModelGlueConfiguration.xml"). >>> >>> It would appear that on certain platforms with sandbox security enabled >>> this will throw an error rather than returning false. The solution is to >>> try/catch these attempts. >>> >>> The culprits are ModelGlue/gesture/loading/ColdSpringBootstrapper.cfc >>> and ModelGlue/gesture/module/XMLModuleLoader.cfc >>> >>> I have attached patches for these files which should resolve the issue. >>> >>> Cheers, Chris >>> >>> >>> >>> >>> >>> >> >> >> -- >> “Come to the edge, he said. They said: We are afraid. Come to the edge, he >> said. They came. He pushed them and they flew.” >> >> Guillaume Apollinaire quotes >> >> >> > > > > -- “Come to the edge, he said. They said: We are afraid. Come to the edge, he said. They came. He pushed them and they flew.” Guillaume Apollinaire quotes --~--~---------~--~----~------------~-------~--~----~ Model-Glue Sites: Home Page: http://www.model-glue.com Documentation: http://docs.model-glue.com Bug Tracker: http://bugs.model-glue.com Blog: http://www.model-glue.com/blog You received this message because you are subscribed to the Google Groups "model-glue" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/model-glue?hl=en -~----------~----~----~----~------~----~------~--~---
