How to protect config xml files

2 views
Skip to first unread message

steve82

unread,
Nov 4, 2009, 4:42:48 AM11/4/09
to model-glue
Hi,

i am new to the model-glue framework but i already find it very cool.
One question that came in my mind: How can one prevent a user from
accessing my Coldspring.xml and ModelGlue.xml files by simply typing
www.pathtomyapp/config/ModelGlue.xml in his browser. I don't want them
to able to read all this configuration infos. I read some other posts
here that said one could move the entire application out of the web
root folder and create a mapping to that place. But how would one do
that exactly? That suggestion sounds nice to me but i wasn't able to
get it up and running.

Many thanks for your help and thoughts on this issue.

Steve

Salvatore FUSTO

unread,
Nov 5, 2009, 2:54:07 AM11/5/09
to model...@googlegroups.com
There is another simple method, usefull if you don't have chance to set
mapos on your server:

rename files cs.xml and mg.xml as cs.xml.cfm and mg.xml.cfm
in your cs.xml.cfm, change the line
<property name="configurationPath"><value>config/ModelGlue.xml
</value></property>
To
<property
name="configurationPath"><value>config/ModelGlue.xml.cfm</value></property>
In your index.cfm, change the line
<cfset ModelGlue_LOCAL_COLDSPRING_PATH = expandPath(".") &
"/config/ColdSpring.xml " />
To
<cfset ModelGlue_LOCAL_COLDSPRING_PATH = expandPath(".") &
"/config/ColdSpring.xml.cfm" />

Finally add in your config folder an application.cfm containing a simple
<cfabort>
This way trying to view xml file, a blank page will be displayed

bye

-----Messaggio originale-----
Da: model...@googlegroups.com [mailto:model...@googlegroups.com] Per
conto di steve82
Inviato: mercoledì 4 novembre 2009 10.43
A: model-glue
Oggetto: [Model-Glue] How to protect config xml files

Doug Boude

unread,
Nov 5, 2009, 5:21:46 AM11/5/09
to model...@googlegroups.com
One quick easy solution is to simply add the ".cfm" extension to your xml files (as in, coldspring.xml.cfm) . CF can still use and access the files just fine (make sure you modify the relevant paths where the xml files are referred to), but when you attempt to get at them directly in a browser you can't see their contents. All the cool kids are doing it. :)

salvatore fusto

unread,
Nov 5, 2009, 5:58:02 AM11/5/09
to model-glue
There is another simple method, usefull if you don't have chance to
set mapos on your server:

rename files cs.xml and mg.xml as cs.xml.cfm and mg.xml.cfm in your
cs.xml.cfm, change the line
<property name="configurationPath"><value>config/ModelGlue.xml </
value></property> To
<property name="configurationPath"><value>config/ModelGlue.xml.cfm</
value></property>
In your index.cfm, change the line
<cfset ModelGlue_LOCAL_COLDSPRING_PATH = expandPath(".") & "/config/
ColdSpring.xml " /> To <cfset ModelGlue_LOCAL_COLDSPRING_PATH =
expandPath(".") & "/config/ColdSpring.xml.cfm" />

Finally add in your config folder an application.cfm containing a
simple <cfabort> This way trying to view xml file, a blank page will
be displayed

bye


On 5 Nov, 11:21, Doug Boude <dougbo...@gmail.com> wrote:
> One quick easy solution is to simply add the ".cfm" extension to your xml
> files (as in, coldspring.xml.cfm) . CF can still use and access the files
> just fine (make sure you modify the relevant paths where the xml files are
> referred to), but when you attempt to get at them directly in a browser you
> can't see their contents. All the cool kids are doing it. :)
>
> On Wed, Nov 4, 2009 at 3:42 AM, steve82 <stefan.bung...@googlemail.com>wrote:
>
>
>
>
>
> > Hi,
>
> > i am new to the model-glue framework but i already find it very cool.
> > One question that came in my mind: How can one prevent a user from
> > accessing my Coldspring.xml and ModelGlue.xml files by simply typing
> >www.pathtomyapp/config/ModelGlue.xmlin his browser. I don't want them
> > to able to read all this configuration infos. I read some other posts
> > here that said one could move the entire application out of the web
> > root folder and create a mapping to that place. But how would one do
> > that exactly? That suggestion sounds nice to me but i wasn't able to
> > get it up and running.
>
> > Many thanks for your help and thoughts on this issue.
>
> > Steve- Nascondi testo citato
>
> - Mostra testo citato -

Charlie Griefer

unread,
Nov 5, 2009, 8:57:25 AM11/5/09
to model...@googlegroups.com
On Wed, Nov 4, 2009 at 1:42 AM, steve82 <stefan....@googlemail.com> wrote:

i am new to the model-glue framework but i already find it very cool.
One question that came in my mind: How can one prevent a user from
accessing my Coldspring.xml and ModelGlue.xml files by simply typing
www.pathtomyapp/config/ModelGlue.xml in his browser. I don't want them
to able to read all this configuration infos. I read some other posts
here that said one could move the entire application out of the web
root folder and create a mapping to that place. But how would one do
that exactly? That suggestion sounds nice to me but i wasn't able to
get it up and running.

In addition to what's already been suggested, you can also do it at a web-server level.  For example, you can configure Apache to give somebody herpes if they try to directly access a specific browser.  Yes, it's undocumented but one of the many reasons why Apache > IIS.

Quick overview at http://charlie.griefer.com/blog/index.cfm/2009/7/22/Securing-Your-XML-Config-Files (not-so-shameless plug).

As far as your question about moving the entire app out of the web root... you state that you "weren't able to get it up and running", but don't state the steps you took.  Easier to help troubleshoot if you do.  I'm not quite sure about moving the entire application out of the webroot.  I think you'd want to move any files that shouldn't be web-accessible (essentially anything except view files).  Then create a mapping (either via the CF Admin or in Application.cfc if you're on  CF8+ and can do per-application mappings.
 
--
Charlie Griefer
http://charlie.griefer.com/

I have failed as much as I have succeeded. But I love my life. I love my wife. And I wish you my kind of success.

steve82

unread,
Nov 5, 2009, 8:58:05 AM11/5/09
to model-glue
Hi all,

I like your idea of simply adding the .cfm file extension to prevent
my config files from being displayed in the clients browser. Sounds
good to mee, I will definitely give it a try as soon as possible.
Nevertheless, how would one accomplish the same goal by moving the
config files out of the web root and creating a mapping to this new
place. I'm just curious to know ;o)

Thank you very much for your help so far.

Steve

On 5 Nov., 11:21, Doug Boude <dougbo...@gmail.com> wrote:
> One quick easy solution is to simply add the ".cfm" extension to your xml
> files (as in, coldspring.xml.cfm) . CF can still use and access the files
> just fine (make sure you modify the relevant paths where the xml files are
> referred to), but when you attempt to get at them directly in a browser you
> can't see their contents. All the cool kids are doing it. :)
>
> On Wed, Nov 4, 2009 at 3:42 AM, steve82 <stefan.bung...@googlemail.com>wrote:
>
>
>
> > Hi,
>
> > i am new to the model-glue framework but i already find it very cool.
> > One question that came in my mind: How can one prevent a user from
> > accessing my Coldspring.xml and ModelGlue.xml files by simply typing
> >www.pathtomyapp/config/ModelGlue.xmlin his browser. I don't want them

Rich

unread,
Nov 5, 2009, 9:36:42 AM11/5/09
to model...@googlegroups.com
Charlie-

... for those of us out west who were reading this with one eye open, I
have to say that Apache has come a long way with its virus
administration code. I darn near had coffee shoot out my nose when I
read your response, thanks for starting my morning with a chuckle. :-)

Rich
--

Rich Leach

Advanced Certified Adobe ColdFusion MX Developer

ri...@cfsnap.com

http://www.cfsnap.com (New & Improved!)

303-913-7338


Charlie Griefer

unread,
Nov 5, 2009, 10:45:42 AM11/5/09
to model...@googlegroups.com
Rich -

I'm on the west coast too, so that was typed with one eye open.  I meant "you can configure Apache to give somebody herpes if they try to directly access a specific _file_".  Not browser.  Dammit :P

Ezra Parker

unread,
Nov 5, 2009, 3:43:42 PM11/5/09
to model...@googlegroups.com
@Steve, I would second Charlie's comment regarding troubleshooting
your particular environment -- the more information you can supply
regarding your specific setup and what you attempted to do, the more
likely that someone can help you to get it working.

That said, if you want an example of how you can set up an MG site
with as little as possible in the webroot, give this a shot:

1. Create a new MG site from the application template, placing it
within the default webroot of your web server so you can browse to it
at http://{server name}/{site name}/ -- for example, I named my test
site "MG3Test", and can hit it at http://localhost/MG3Test/

2. Create a "webroot" directory directly under the site directory.

3. Move the "css" directory and the following files into the "webroot"
directory:

Application.cfc
index.cfm
RemotingService.cfc

4. Delete the remaining "loose" files at the root level of the site.
At this point, your top-level directory structure should look like
this:

config
controller
helpers
model
views
webroot

5. In webroot/index.cfm, uncomment the following line (line 17 in my
copy of the app template):

<cfset ModelGlue_LOCAL_COLDSPRING_PATH = expandPath(".") &
"/config/ColdSpring.xml" />

and change it to:

<cfset ModelGlue_LOCAL_COLDSPRING_PATH = expandPath("..") &
"/config/ColdSpring.xml" />

(The argument to the expandPath function changes from "." to "..")

6. In config/ColdSpring.xml, make the following two alterations:

Change this (line 24):

<property name="configurationPath"><value>config/ModelGlue.xml</value></property>

to this:

<property name="configurationPath"><value>../config/ModelGlue.xml</value></property>

and this (line 41):

<property name="scaffoldPath"><value>config/scaffolds/Scaffolds.xml</value></property>

to this:

<property name="scaffoldPath"><value>../config/scaffolds/Scaffolds.xml</value></property>

7. If you're going to be using remoting, change the following line in
webroot/RemotingService.cfc (line 6) from this:

<cfset template = "/{site name}/index.cfm" />

to this:

<cfset template = "/{site name}/webroot/index.cfm" />

(For my site, this would be: <cfset template = "/MG3Test/webroot/index.cfm" />)

At this point, you should be able to browse the site at http://{server
name}/{site name}/webroot/ -- for example, my URL is now
http://localhost/MG3Test/webroot/ -- and the config files,
controllers, views, etc. are all above the webroot directory.

You can then define a virtual host/site on your web server that points
to the {site name}/webroot directory. In order to avoid the need to
make any further changes to the CS config and file paths, you will
need a mapping for the site's root directory.

If you're on CF 8+ you can set up an application-specific mapping by
adding a line like this to the pseudo-constructor area of your
Application.cfc (in other words, outside of any functions):

<cfset this.mappings["/MG3Test"] = expandPath("..") />

And as a final note, when deploying something like this in production
make sure that you *do not* place the site under your web server's
default webroot (if enabled), or the config files will still be web
accessible at a URL like: http://{server IP}/{site
name}/config/ColdSpring.xml

Please let me know if you have any further questions about this technique.

--
Ezra Parker

steve82

unread,
Nov 6, 2009, 7:14:55 AM11/6/09
to model-glue
Hi everybody,

I finally had the chance to test your idea of renaming the
configuration files and it works perfectly for me! I renamed the *.xml
files to *.xml.cfm and changed the appropriate paths. Then I created
an application.cfm in the config folder with a simple <cfabort>. Quick
look in my browser showed, that it worked for Coldspring.xml but not
for ModelGlue.xml - that one gave me the CF Exception "Attribute
validation error for tag CFERROR". This was due to a comment in the
ModelGlue.xml file that reads something like this

<!-- An error event to show when an error occurs, much like <cferror>.
-->

I Simply removed the <cferror> tag in the comment, so that CF tries
not to interpret it and voila...!

What I've learned so far perfectly fits my needs and I like that the
renaming strategy is so simple. Thank you all very much.

@Ezra, I will test your idea too in the next few days.

--
Steve

On 5 Nov., 21:43, Ezra Parker <e...@cfgrok.com> wrote:
> @Steve, I would second Charlie's comment regarding troubleshooting
> your particular environment -- the more information you can supply
> regarding your specific setup and what you attempted to do, the more
> likely that someone can help you to get it working.
>
> That said, if you want an example of how you can set up an MG site
> with as little as possible in the webroot, give this a shot:
>
> 1. Create a new MG site from the application template, placing it
> within the default webroot of your web server so you can browse to it
> at http://{server name}/{site name}/ -- for example, I named my test
> site "MG3Test", and can hit it athttp://localhost/MG3Test/
> name}/{site name}/webroot/ -- for example, my URL is nowhttp://localhost/MG3Test/webroot/-- and the config files,
> controllers, views, etc. are all above the webroot directory.
>
> You can then define a virtual host/site on your web server that points
> to the {site name}/webroot directory. In order to avoid the need to
> make any further changes to the CS config and file paths, you will
> need a mapping for the site's root directory.
>
> If you're on CF 8+ you can set up an application-specific mapping by
> adding a line like this to the pseudo-constructor area of your
> Application.cfc (in other words, outside of any functions):
>
> <cfset this.mappings["/MG3Test"] = expandPath("..") />
>
> And as a final note, when deploying something like this in production
> make sure that you *do not* place the site under your web server's
> default webroot (if enabled), or the config files will still be web
> accessible at a URL like: http://{server IP}/{site
> name}/config/ColdSpring.xml
>
> Please let me know if you have any further questions about this technique.
>
> --
> Ezra Parker
>
> On Thu, Nov 5, 2009 at 5:58 AM, steve82 <stefan.bung...@googlemail.com> wrote:
>
> > Hi all,
>
> > I like your idea of simply adding the .cfm file extension to prevent
> > my config files from being displayed in the clients browser. Sounds
> > good to mee, I will definitely give it a try as soon as possible.
> > Nevertheless, how would one accomplish the same goal by moving the
> > config files out of the web root and creating a mapping to this new
> > place. I'm just curious to know ;o)
>
> > Thank you very much for your help so far.
>
> > Steve
>
> > On 5 Nov., 11:21, Doug Boude <dougbo...@gmail.com> wrote:
> >> One quick easy solution is to simply add the ".cfm" extension to your xml
> >> files (as in, coldspring.xml.cfm) . CF can still use and access the files
> >> just fine (make sure you modify the relevant paths where the xml files are
> >> referred to), but when you attempt to get at them directly in a browser you
> >> can't see their contents. All the cool kids are doing it. :)
>
> >> On Wed, Nov 4, 2009 at 3:42 AM, steve82 <stefan.bung...@googlemail.com>wrote:
>
> >> > Hi,
>
> >> > i am new to the model-glue framework but i already find it very cool.
> >> > One question that came in my mind: How can one prevent a user from
> >> > accessing my Coldspring.xml and ModelGlue.xml files by simply typing
> >> >www.pathtomyapp/config/ModelGlue.xmlinhis browser. I don't want them
Reply all
Reply to author
Forward
0 new messages