June 16, 2006 at 10:09PM CF Tricks: preventing pages you don’t want executed directly from being executed
Here’s a question for you: do you have any .cfm pages in your applications that, if a user was execute them directly, could pose a security risk?
You might send all requests to one central dispatcher, which might in turn check the credentials of the user, and if they check out, include some page that might change a password, an email address, &c.
But what if somebody was to execute that page directly, bypassing the dispatcher, and so the security code, by POSTing or GETing the page? Though it might appear unlikely that somebody would go to all that trouble, the security hole still exists.
So how do you patch it? Pretty simple really. Take a look at the following code:
<cfif GetCurrentTemplatePath() eq GetBaseTemplatePath()><cfabort></cfif>
By comparing these two, you can check if the page the code is in is being executed directly by a user. I tend to plonk this at the top of any ColdFusion pages in my applications that might change the application’s state in some significant way. In my weblog’s code, examples of such pages are the files which write comments and new entries to the DB, and updating existing comments. Each of those pages starts with that line of code, and so they can only be executed through other pages.