Re: Securing your config.xml file

Sat, 26 Aug 2006 08:30:12 -0700 

I agree with this. However, if a decent host isn't possible for some
reason, an alternative is to do what Ray Camden now does with BlogCFC
and other apps.

1) Give the XML config file a .cfm extension so it becomes
config.xml.cfm or whatever
2) In the folder in which the XML file sits, use an Application.cfm
that contains this:

<cfif listlast(cgi.script_name, "/") is "config.xml.cfm">
        <cfabort>
</cfif>

This means that when you read the file with XMLParse() all is ok but
anyone browsing directly to the file sees nothing because the request
is aborted.

The only thing I would personally do different than Ray is to use
GetFileFromPath(cgi.script_name) instead of listlast(cgi.script_name,
"/")  but it's the same thing.

On 8/26/06, Dave Carabetta <[EMAIL PROTECTED]> wrote:
> On 8/25/06, Will Tomlinson <[EMAIL PROTECTED]> wrote:
> > Right now my config.xml file resides where it can be browsed and read 
> > easily. Ray C. helped me a while back on how to secure it. One of the 
> > options is to place outside the root and read it. This needs to work with a 
> > shared host so that's not a good option. Another was to setup a 
> > defaults.cfm file with the xml commented out. Then you read the file, 
> > taking out the comments. If someone browses to the file, they'd see nothing.
> >
>
> I'm not sure why being on a shared host eliminates placing it outside
> of the web root. My personal site is on a shared host, and I have
> access to directories that are within my account, but outside of the
> web root. Further, you could set up a directory outside of your web
> root and ask your host to set up a mapping. If they won't let you do
> this, then it's time to switch to HostMySite.com, who is unbelievably
> accomodating when it comes to this sort of stuff.
>
> Regards,
> Dave.
>
> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four 
times a year.
http://www.fusionauthority.com/quarterly

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:251141
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Reply via email to