> I haven't mentioned this before because I do believe that filtering
>> request URLs is the wrong approach
>
> Care to elaborate on this?
Denstar, dig out your neo-security.xml file. In my Windows CF8 standalong
install it is located in C:\ColdFusion8\lib\neo-security.xml
Look at the following section:
<var name="CrossSiteScriptPatterns">
<struct type="coldfusion.server.ConfigMap">
<var name="<\s*(object|embed|script|applet|meta)">
<string><InvalidTag</string>
</var>
</struct>
</var>
When you check the "Enable Global Script Protection" check box on the
Settings page of ColdFusion Administartor, requests are filtered if anything
in the Form, URL, CGI, or Cookie scope matches this regex:
"<\s*(object|embed|script|applet|meta)"
What Jochem is saying, is to add to that regex to filter for whatever else
you want and enable that setting.
While I agree with Jochem that request filtering is NOT the appropriate way
to secure your application, this is a rather slick approach.
Also note, this is NOT rewriting. It is not happinging at the network
level, nor is it happening at the web server level (Aache, IIS). The
requests are filtered when they reach ColdFusion.
~Brad
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311114
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
