ColdFusion TIPS PLUS
Issue 00103 http://www.cftipsplus.com
I. My CommentsII. ColdFusion In Context: Fake Object Not Found
By R. Martin Ladner
martin.ladner@knology.net
See our sponsors at the bottom of this e-mail.
I. Comments:
If you have a ColdFusion Job in your neck of the woods let me know. I have several people looking for jobs and most do not mind moving.
Keep Coding,
Nathan Stanford
http://www.cftipsplus.com
If you have suggestions for articles send them to us.
If you would like to write for cftipsplus.com
send us an email to:
admin@cftipsplus.com
IF YOU WANT TO BE AN AUTHOR SEND IN YOUR COLDFUSION TIPS.
Remember this is a great way to get your name known in the
ColdFusion Community.
II. ColdFusion in Context: Fake Object Not Found
By R. Martin Ladner
martin.ladner@knology.net
Suppose you don't want most of the files in a given directory to be browsed directly but don't want to make it obvious to filename-guessers that you've blocked access. Here's a way.
Review It
You'll use Application.cfm to permit only certain pages to be browsed and to include a copy of ColdFusion's standard "object not found" message when others are browsed.
Build It
Create a directory; call it work. That's where you'll put the files for this demonstration.
Within that directory, create Application.cfm to protect it. In Application.cfm, start by hiding extra white space with the cfsetting tag. (Sometimes this isn't necessary, but we're being conservative here.) Make a list of the files that it's OK to browse. For our purposes, ok1.cfm and ok2.cfm are the ones you want. Then get the name of the file being browsed. Don't use cgi.http_referer as the basis for this check; because, this variable is typically empty if a user types the page name directly into the address window (which is precisely the behavior you're usually worried about). Use the getFileFromPath function extracts the filename of the page from the full path: getBaseTemplatePath. Use the listFindNoCase function to hunt for the filename in your list. If it's not found, the value returned will be zero. If the value is zero, include notfound.cfm. Turn off the cfsetting for the good path but not for the bad path (yet).
<cfsetting enablecfoutputonly="yes">
<cfif not listFindNoCase("ok1.cfm,ok2.cfm",getFileFromPath(getBaseTemplatePath()))>
<cfinclude template="notfound.cfm">
</cfif>
<cfsetting enablecfoutputonly="no">
Create two "good" files, ok1.cfm and ok2.cfm. They can contain the following text:
This page is OK to browse.
Create two "bad" files, notok1.cfm and notok2.cfm. They can contain the following text:
This page should not be browsed.
To create notfound.cfm, you can use the standard text below as your starting point. It contains just about every ending html tag a person might think of. However, the important tags are the first and last: cfsetting and cfabort. These tags are not in the "real" message but are necessary. Without the first tag, the page will appear empty. Without the last tag, the page you don't want browsed will appear right after the message, and that's not what you want. (The cfabort tag won't appear when you view source; so, it doesn't hurt the illusion.)
<cfsetting enablecfoutputonly="no"></TD>
</TD></TD></TH></TH>
</TH></TR></TR></TR></TABLE>
</TABLE></TABLE></A></ABBREV>
</ACRONYM></ADDRESS></APPLET>
</AU></B></BANNER></BIG>
</BLINK></BLOCKQUOTE></BQ></CAPTION>
</CENTER></CITE></CODE></COMMENT>
</DEL></DFN></DIR></DIV></DL>
</EM></FIG></FN></FONT></FORM>
</FRAME></FRAMESET></H1></H2>
</H3></H4></H5></H6></HEAD>
</I></INS></KBD></LISTING>
</MAP></MARQUEE></MENU></MULTICOL>
</NOBR></NOFRAMES></NOSCRIPT></NOTE>
</OL></P></PARAM></PERSON>
</PLAINTEXT></PRE></Q></S>
</SAMP></SCRIPT></SELECT></SMALL>
</STRIKE></STRONG></SUB></SUP>
</TABLE></TD></TEXTAREA></TH>
</TITLE></TR></TT></U></UL>
</VAR></WBR></XMP><HTML>
<HEAD><TITLE>
Error Occurred While Processing Request</TITLE>
</HEAD><BODY><HR><H3>
Error Occurred While Processing Request</H3>
<P> <TABLE BORDER><TR><TD>
<H4>Error Diagnostic Information</H4><P>
An error has occurred.<P> <B><H3>
HTTP/1.0 404 Object Not Found</B></H3>
<P></TD></TR></TABLE>
<P><HR>
</BODY></HTML><cfabort>
Try It
Assuming you placed all these pages in the directory you want to protect, browse ok1.cfm, ok2.cfm, notok1.cfm, and notok2.cfm. Also try browsing a non-existent ColdFusion page: notok3.cfm. (You must be looking for a ColdFusion page or the message will be entirely different.) Review the results; they should appear the same at first glance.
Now fine-tune your message. On your server, browse a non-existent filename ending in .cfm - it must end in .cfm for this to work - copy the source into notfound.cfm, and add the cfsetting and cfabort tags to the result. Because the sample in this tip was formatted to make it easier to read, it wasn't wrapped the same way as the real thing, and the difference was visible when viewing source. Using the real source will make this message indistinguishable from the real thing. (The ColdFusion tags won't show.)
In some environments (particularly when using 127.0.0.1), the Web server will let the operating system override the ColdFusion message shown above if the file really doesn't exist. However, the technique shown here usually works and doesn't hurt: blocking access through the use of a fake "object not found" message.
=Marty=
SPONSOR ADS:
This e-mail is sponsored by the following ads.
Sponsored Ad
Books For Sale
http://nsnd.vstorelibrary.com/
Advanced, Intensive ColdFusion Training!Visit this site. If you have plans to get training here is a company
that provides Advanced, Intensive ColdFusion Training. Check them out.
http://www.coldfusiontraining.com/index.cfm?ref=cftipsplus
Sponsored Ad
Publisher and Creator:
Nathan Stanford,
admin@cftipsplus.com
http://www.cftipsplus.com
Macromedia and ColdFusion are U.S. registered trademarks.
Copyright (c) 2000 - 2002 C.F. Concepts, Inc.
CFTIPSPLUS.COM and NSND.COM
Permission is granted to circulate this publication via
MANUAL forwarding by email to friends provided that the text is
forwarded in its entirety and no fee is charged.
