Are we also forgetting that this is entirely driven by conventions?
Are we also forgetting that you can put the files anywhere defined by your
conventions? Trying to guess this will be harder and would result in people
giving up trying to work that out.
Also when it comes to the Application.cfc, you can put your own logic in
here to secure it more. Like don't process anything none ColdBox and capture
any errors with onError so that things are hidden from the user more. Using
SES more and the IIS / Apache rewrite rules will help even more.
Regards,
Andrew Scott
http://www.andyscott.id.au/
From: coldbox@googlegroups.com [mailto:coldbox@googlegroups.com] On
Behalf Of Dave Merrill
Sent: Tuesday, 9 November 2010 1:17 AM
To: coldbox@googlegroups.com
Subject: Re: [coldbox:6604] Re: ColdBox allows direct access to cfm files
anywhere in your app
@Louis: When I navigate the browser directly to a view cfm, ColdBox
doesn't
process that request, as you say. In most cases, views contain references
to
data in rc, which hasn't been set up, so they'll crash.
For that reason, it probably won't reveal anything it shouldn't, even
though
ColdBox and any security interceptor aren't in play.
One possible exception to that is hitting a viewlet directly, since as
I
understand it (haven't used them) they're self-contained, calling services
to
get their data themselves; I'm not certain if that would work without
ColdBox
having run in that request. If it does, your security interceptor won't be
in
play, so it's possible people might see things they weren't intended to.
@Aaron: What exactly do you keep in your web-servable app directory?
Clearly non-cf assets (css/js/img/etc) have to be there, but I did wonder
if
you could leave only those, plus Application.cfc and index.cfm, and move
everything else outside the web root. Haven't tried it, may or may not
work
at all, but it would be the most secure option. Do you do anything like
that?
@Mark: It's not that I don't know various ways to lock things down, I was
just
identifying the fact that ColdBox apps are open in this way, and where you
care about that, you should probably address it. It's not a decision
that's
mentioned in the docs, far as I know.
@Rus: I see the behavior I described above to Louis when I use the correct
url to hit a view page directly. I'm on M6.
Big picture, I'm not trying to be critical of ColdBox, I'm loving it more
every
day. I wasn't looking for trouble, ran into this question looking at the
default
Application.cfc code in relation to something else. I'm not saying it's
unsolvable with ColdBox as it is today, just pointing out that this is a
layer of
application design that's not dealt with by the framework, so it's
something
you should consider when you care about this behavior.
IMO, even if it doesn't reveal anything or allow any unintended actions,
it's
unprofessional to have urls in your app that you know will crash. It's
also odd
for ColdBox to process files whose names end in 'index.cfm'
('publicationIndex.cfm' for instance), in any directory, only.
Not trying to be a chicken little, just pointing out what the behavior is,
asking