Requesting application.cfm directly
381 views
Skip to first unread message
kmeade...@gmail.com
Mar 20, 2016, 10:40:26 PM3/20/16
to Lucee
Hello,
I'm old ColdFusion user (1996-2003) who couldn't resist taking a look at Lucee V5. I'm running 5.0.0.178-BETA on a Windows 7 Home Premium test machine.
I noticed that I can request application.cfm directly in a browser URL and it executes. That's not supposed to happen, is it?
Also, didn't there used to be a rule that any CFM whose name started with underscore could not be directly requested? I'm foggy here -- might be thinking of another product. I know that's how I used to name my include CFM files, back in the day. As I said I'm an *old* ColdFusion user. :-)
Thanks and good luck. The product looks great!
KM
I'm old ColdFusion user (1996-2003) who couldn't resist taking a look at Lucee V5. I'm running 5.0.0.178-BETA on a Windows 7 Home Premium test machine.
I noticed that I can request application.cfm directly in a browser URL and it executes. That's not supposed to happen, is it?
Also, didn't there used to be a rule that any CFM whose name started with underscore could not be directly requested? I'm foggy here -- might be thinking of another product. I know that's how I used to name my include CFM files, back in the day. As I said I'm an *old* ColdFusion user. :-)
Thanks and good luck. The product looks great!
KM
Phillip Vector
Mar 20, 2016, 10:46:41 PM3/20/16
to lu...@googlegroups.com
>I noticed that I can request application.cfm directly in a browser URL and it executes. That's not supposed to happen, is it?
Yes. It should. Try using .cfc as it should be. :)
There is no such rule to my knowledge, but I started CF in 2000. Your best bet to prevent people from looking at your files is to put them above webroot (and then index.cfm include them) .
--
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/3deeb7c0-4aa3-4cc2-a7d9-41cf1da3f1bf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Denard Springle
Mar 21, 2016, 2:15:45 PM3/21/16
to Lucee
Hey KM,
Welcome back to CFML land! A lot has changed since you've been gone, as you can imagine.
First, while Application.cfm is still supported for backwards compatibility with older CFML engines, it is no longer the proper implementation for new application development. You should instead now use Application.cfc - see http://www.learncfinaweek.com/week1/Application_cfc/ for more information and a good primer on that. The rest of the site is likewise a good primer overall if you're getting back into CFML. And yes, Application.cfm has always been able to be directly called.
I've been doing CF since v4, but don't recall there ever being a rule specific to CFML that would prevent files starting with an underscore from being directly accessed. It would be possible to create a rule for this in any modern http server (e.g. Apache, IIS, etc.) that would block a direct request to those files, but I don't seem to remember it every being part of CFML itself. But I'm old and senile now, so... it's feasible an early version had this capability.
Again, welcome back and if you get back into CFML in any serious way you might want to consider joining local/online user groups and/or going to one of the conferences (dev.Objective() in MN, CF Summit in Vegas or NCDevCon in Raleigh, NC) this year to catch up on all the new bells and whistles, and gain new techniques such as OOP... and MVC frameworks like FW/1 (framework one) and ColdBox. (google any of that you find interesting lol)
-- Denny
km
Mar 21, 2016, 5:27:07 PM3/21/16
to Lucee
Thanks for the kind replies.
I was aware of Application.cfc et al. That stuff came into ColdFusion at about the same time I was going out. (smile) I've got a bunch of *old* CF apps that I'm trying to revive, just as an experiment and refresher. So far, I'm impressed with how much of my old CF code works just fine under Lucee 5. I was even able to get the old Access databases hooked up via JDBC / ucanaccess. That was unexpected!
I started with CF when I got a free copy (of version1,5) bundled along with the spiffy O'Reilly WebSite server in 1996. I stayed with it through version 5. It's cool to see that CFML is still alive and well.
KM
I was aware of Application.cfc et al. That stuff came into ColdFusion at about the same time I was going out. (smile) I've got a bunch of *old* CF apps that I'm trying to revive, just as an experiment and refresher. So far, I'm impressed with how much of my old CF code works just fine under Lucee 5. I was even able to get the old Access databases hooked up via JDBC / ucanaccess. That was unexpected!
I started with CF when I got a free copy (of version1,5) bundled along with the spiffy O'Reilly WebSite server in 1996. I stayed with it through version 5. It's cool to see that CFML is still alive and well.
KM
Hanswurst Globobrüll
Mar 25, 2016, 9:40:41 AM3/25/16
to Lucee
Hi Dudes
just for information, this is what I get when I try to call application.cfm on a Coldfusion 8 Server directly in the URL by http://....../application.cfm
Seems KM is absolutely right, although I never thught about that in particular until today ;-)
best regards from florida
Invalid request of Application.cfm, Application.cfc, or OnRequestEnd.cfm file. | |
| You have requested a page with the name application.cfm. This file name is reserved by the ColdFusion engine for the specification of application level settings; as a result, it cannot be directly requested from a web client. If you are creating a template that is intended for direct access by end users, use a name other than Application.cfm or OnRequestEnd.cfm. | |
best regards from florida
raffael meier
Bilal
Mar 26, 2016, 9:49:56 AM3/26/16
to Lucee
You should be able to block access to a file via your webserver.
Reply all
Reply to author
Forward
0 new messages