talideon.com

Cheese with everything!

June 16, 2006 at 10:09PM CF Tricks: preventing pages you don’t want executed directly from being executed

Here’s a question for you: do you have any .cfm pages in your applications that, if a user was execute them directly, could pose a security risk?

You might send all requests to one central dispatcher, which might in turn check the credentials of the user, and if they check out, include some page that might change a password, an email address, &c.

But what if somebody was to execute that page directly, bypassing the dispatcher, and so the security code, by POSTing or GETing the page? Though it might appear unlikely that somebody would go to all that trouble, the security hole still exists.

So how do you patch it? Pretty simple really. Take a look at the following code:

<cfif GetCurrentTemplatePath() eq GetBaseTemplatePath()><cfabort></cfif>

By comparing these two, you can check if the page the code is in is being executed directly by a user. I tend to plonk this at the top of any ColdFusion pages in my applications that might change the application’s state in some significant way. In my weblog’s code, examples of such pages are the files which write comments and new entries to the DB, and updating existing comments. Each of those pages starts with that line of code, and so they can only be executed through other pages.

Technorati Search Technorati Search Irish Bloggers

Comments

No comments.

Post a comment

All form information is optional, but it’s a good idea to fill in your name and email address if you want me to take your comment seriously.

Spammers, don’t bother posting crap down here. The site is set up so that legitimate search engines (Google, for instance) won’t index pages with comments on them. Posting crud here only means you’re wasting my time and patience. Shoo!

Real names, please. Please include!
Won’t be displayed. Please include!
Displayed, if present.