ApplicationFileOrganizationSecurityConcerns on the wiki

0 views
Skip to first unread message

Matt Osbun

unread,
Jun 29, 2009, 3:37:29 PM6/29/09
to mach-ii-for...@googlegroups.com
While going through the Mach-II doc wiki, I noticed that the followinh page is blank:

Was the intention behind this page to address preventing people from downloading the Mach-II xml config file through a browser request?

Reason I ask is because I've spend the last couple of hours working with this issue, and could fill the page out with some ideas. However, given my track record for assuming things today, I'm also doublechecking gravity before sitting down. It's been one of those Mondays.

Peter J. Farrell

unread,
Jun 29, 2009, 3:50:25 PM6/29/09
to mach-ii-for...@googlegroups.com
Yeah, the link title is:

Addressing Application File Organization and Security Concerns?

So I think Matt was thinking about how file organization can affect security.  There are two approaches -- the one you outline with everything off one directory and the other method where you have an public_html folder which is the webroot and everything else is above webroot and therefore web-inaccessible>

|-+ YourApplicationName
  |- config
  |- modules
  |  |- ModuleName
  |  |  |- config
  |- public_html
  |- ... additional folders ...

There is also some information here:
http://greatbiztoolsllc.trac.cvsdude.com/mach-ii/wiki/FAQRecommendedConventions

Go ahead and go nuts on an article.  The great thing is that wiki is publicly accessible and editable -- so it can get revised / updated / improved, but none of that can happen until there is something to edit.  So yes, add information to that stub!

Best,
Peter

Matt Osbun said the following on 06/29/2009 02:37 PM:

Matthew Woodward

unread,
Jun 29, 2009, 3:49:26 PM6/29/09
to mach-ii-for...@googlegroups.com
Matt Osbun wrote:
> While going through the Mach-II doc wiki, I noticed that the followinh
> page is blank:
> http://greatbiztoolsllc.trac.cvsdude.com/mach-ii/wiki/ApplicationFileOrganizationSecurityConcerns
>
> Was the intention behind this page to address preventing people from
> downloading the Mach-II xml config file through a browser request?

Yep, I think maybe I stubbed that out as a reminder that needed to be
addressed. It would be GREAT if you wanted to slap some stuff in there.
That would be much appreciated.

The two main approaches are:

* Put the file somewhere that's accessible to your CFML engine but not
browsable

* Add .cfm at the end of the file name (mach-ii.xml.cfm) and put <!--
<cfsetting enablecfoutputonly="true" /> --> at the top of the file

But if you have other ideas feel free to share here or put them in the
wiki. Thanks!
--
Matthew Woodward
ma...@mattwoodward.com
http://www.mattwoodward.com/blog

Please do not send me proprietary file formats such as Word, PowerPoint,
etc. as attachments.
http://www.gnu.org/philosophy/no-word-attachments.html

Matthew Woodward

unread,
Jun 29, 2009, 4:06:01 PM6/29/09
to mach-ii-for...@googlegroups.com
Matthew Woodward wrote:

> Matt Osbun wrote:
>> Was the intention behind this page to address preventing people from
>> downloading the Mach-II xml config file through a browser request?

Peter's answer is more all-encompassing since we do (I believe) have
another FAQ about the config file, but if you want to put your
experiences concerning that in that article to start, that would be great.

Matt Osbun

unread,
Jun 30, 2009, 9:01:06 AM6/30/09
to mach-ii-for...@googlegroups.com
Got some initial thoughts on the wiki. Could probably use some expanding, but it gets some ideas across, I think.

Matthew Woodward

unread,
Jun 30, 2009, 9:17:15 AM6/30/09
to mach-ii-for...@googlegroups.com
Matt Osbun wrote:
> Got some initial thoughts on the wiki. Could probably use some
> expanding, but it gets some ideas across, I think.

Thanks Matt! Greatly appreciated.

Reply all
Reply to author
Forward
0 new messages