Was the intention behind this page to address preventing people from downloading the Mach-II xml config file through a browser request?
Reason I ask is because I've spend the last couple of hours working with this issue, and could fill the page out with some ideas. However, given my track record for assuming things today, I'm also doublechecking gravity before sitting down. It's been one of those Mondays.
So I think Matt was thinking about how file organization can affect security. There are two approaches -- the one you outline with everything off one directory and the other method where you have an public_html folder which is the webroot and everything else is above webroot and therefore web-inaccessible>
Go ahead and go nuts on an article. The great thing is that wiki is publicly accessible and editable -- so it can get revised / updated / improved, but none of that can happen until there is something to edit.
So yes, add information to that stub!
Best,
Peter
Matt Osbun said the following on 06/29/2009 02:37 PM:
> Was the intention behind this page to address preventing people from > downloading the Mach-II xml config file through a browser request?
> Reason I ask is because I've spend the last couple of hours working > with this issue, and could fill the page out with some ideas. However, > given my track record for assuming things today, I'm also > doublechecking gravity before sitting down. It's been one of those > Mondays.
> Was the intention behind this page to address preventing people from > downloading the Mach-II xml config file through a browser request?
Yep, I think maybe I stubbed that out as a reminder that needed to be addressed. It would be GREAT if you wanted to slap some stuff in there. That would be much appreciated.
The two main approaches are:
* Put the file somewhere that's accessible to your CFML engine but not browsable
* Add .cfm at the end of the file name (mach-ii.xml.cfm) and put <!-- <cfsetting enablecfoutputonly="true" /> --> at the top of the file
But if you have other ideas feel free to share here or put them in the wiki. Thanks! -- Matthew Woodward m...@mattwoodward.com http://www.mattwoodward.com/blog
Matthew Woodward wrote: > Matt Osbun wrote: >> Was the intention behind this page to address preventing people from >> downloading the Mach-II xml config file through a browser request?
Peter's answer is more all-encompassing since we do (I believe) have another FAQ about the config file, but if you want to put your experiences concerning that in that article to start, that would be great. -- Matthew Woodward m...@mattwoodward.com http://www.mattwoodward.com/blog
> So I think Matt was thinking about how file organization can affect
> security. There are two approaches -- the one you outline with everything
> off one directory and the other method where you have an public_html folder
> which is the webroot and everything else is above webroot and therefore
> web-inaccessible>
> Go ahead and go nuts on an article. The great thing is that wiki is
> publicly accessible and editable -- so it can get revised / updated /
> improved, but none of that can happen until there is something to edit. So
> yes, add information to that stub!
> Best,
> Peter
> Matt Osbun said the following on 06/29/2009 02:37 PM:
> Was the intention behind this page to address preventing people from
> downloading the Mach-II xml config file through a browser request?
> Reason I ask is because I've spend the last couple of hours working with
> this issue, and could fill the page out with some ideas. However, given my
> track record for assuming things today, I'm also doublechecking gravity
> before sitting down. It's been one of those Mondays.
|
