Hi Dan, I was referring to fileExists() being used to probe the filesystem, not the exceptions.
The exception is not a security risk in itself because it neither confirms or denies the existence of the target file, only that the attempted location is innaccessible and as you say you would need debugging turned on. I only attached the exceptions so you could see what i was seeing, in case your environment was unable to reproduce this issue. Cheers, Chris 2009/9/18 Dan Wilson <[email protected]> > Ok the original Try/Catch patch stuff is in SVN now and passes unit tests. > I'm not 100% sure how the exceptions will help someone profile the code, > wouldn't debugging have too be on to get the messages? Or a nefarious > individual would have to have access to the exception logs, which would mean > they already have escalated privileges sufficiently to retrieve that > information? > > I'm going to leave this in SVN the way it is now, (with the fixed sandbox > thingy) and we'll talk further about how to maintain functionality and > preserve security. We definitely want to pay attention to security and do > all we can to ensure we do not leak information unnecessarily. > > > DW > > > > On Fri, Sep 18, 2009 at 8:25 AM, Chris Blackwell <[email protected]>wrote: > >> Dan, >> >> If I turn on cf debugging I now get a few access denied exceptions along >> with the usual coldspring property does not exist exceptions. I've attached >> them so you can see which filepath's its failing on. >> I'm not sure what the expected behaviour of fileExists() is when trying to >> verify a file outside the sandbox, but my feeling is that a runtime >> exception would be the correct thing for CF to do. Otherwise you could use >> it to probe the structure of a server and find security exploits. >> >> Cheers, Chris >> >> --~--~---------~--~----~------------~-------~--~----~ Model-Glue Sites: Home Page: http://www.model-glue.com Documentation: http://docs.model-glue.com Bug Tracker: http://bugs.model-glue.com Blog: http://www.model-glue.com/blog You received this message because you are subscribed to the Google Groups "model-glue" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/model-glue?hl=en -~----------~----~----~----~------~----~------~--~---
