Are we also forgetting that this is entirely driven by conventions?
Are we also forgetting that you can put the files anywhere defined by your
conventions? Trying to guess this will be harder and would result in people
giving up trying to work that out.
Also when it comes to the Application.cfc, you can put your own logic in
here to secure it more. Like don't process anything none ColdBox and capture
any errors with onError so that things are hidden from the user more. Using
SES more and the IIS / Apache rewrite rules will help even more.
From: firstname.lastname@example.org [mailto:email@example.com] On
Behalf Of Dave Merrill
Sent: Tuesday, 9 November 2010 1:17 AM
Subject: Re: [coldbox:6604] Re: ColdBox allows direct access to cfm files
anywhere in your app
@Louis: When I navigate the browser directly to a view cfm, ColdBox
process that request, as you say. In most cases, views contain references
data in rc, which hasn't been set up, so they'll crash.
For that reason, it probably won't reveal anything it shouldn't, even
ColdBox and any security interceptor aren't in play.
One possible exception to that is hitting a viewlet directly, since as
understand it (haven't used them) they're self-contained, calling services
get their data themselves; I'm not certain if that would work without
having run in that request. If it does, your security interceptor won't be
play, so it's possible people might see things they weren't intended to.
@Aaron: What exactly do you keep in your web-servable app directory?
Clearly non-cf assets (css/js/img/etc) have to be there, but I did wonder
you could leave only those, plus Application.cfc and index.cfm, and move
everything else outside the web root. Haven't tried it, may or may not
at all, but it would be the most secure option. Do you do anything like
@Mark: It's not that I don't know various ways to lock things down, I was
identifying the fact that ColdBox apps are open in this way, and where you
care about that, you should probably address it. It's not a decision
mentioned in the docs, far as I know.
@Rus: I see the behavior I described above to Louis when I use the correct
url to hit a view page directly. I'm on M6.
Big picture, I'm not trying to be critical of ColdBox, I'm loving it more
day. I wasn't looking for trouble, ran into this question looking at the
Application.cfc code in relation to something else. I'm not saying it's
unsolvable with ColdBox as it is today, just pointing out that this is a
application design that's not dealt with by the framework, so it's
you should consider when you care about this behavior.
IMO, even if it doesn't reveal anything or allow any unintended actions,
unprofessional to have urls in your app that you know will crash. It's
for ColdBox to process files whose names end in 'index.cfm'
('publicationIndex.cfm' for instance), in any directory, only.
Not trying to be a chicken little, just pointing out what the behavior is,