I'm doing the request filtering in apache so that it never even bothers my CF engine with the request, but I was wondering if Jochem didn't like the filtering for a reason.
I wouldn't rely on it alone in any way, shape or form, but just cutting down on the "spam" hits on the application seems like a worthy deal. Doing it at the network level would be even faster and less intensive application-wise, but I'm wondering if there's a problem with the very idea that I haven't thought of. Accidentally removing legitimate traffic, or just trading one weakness for another-- something like that. We need to be preventing this stuff on every level, layered like an onion, as someone said earlier. I was not endorsing request filtering as a sole means of protection, for the record. :-) Gracias for the info on what turning on global script protection actually is! :Den -- He had a wonderful talent for packing thought close, and rendering it portable. Thomas B. Macaulay On Sat, Aug 16, 2008 at 10:14 AM, Brad Wood <[EMAIL PROTECTED]> wrote: >> I haven't mentioned this before because I do believe that filtering >>> request URLs is the wrong approach >> >> Care to elaborate on this? > > Denstar, dig out your neo-security.xml file. In my Windows CF8 standalong > install it is located in C:\ColdFusion8\lib\neo-security.xml > > Look at the following section: > > <var name="CrossSiteScriptPatterns"> > <struct type="coldfusion.server.ConfigMap"> > <var name="<\s*(object|embed|script|applet|meta)"> > <string><InvalidTag</string> > </var> > </struct> > </var> > > When you check the "Enable Global Script Protection" check box on the > Settings page of ColdFusion Administartor, requests are filtered if anything > in the Form, URL, CGI, or Cookie scope matches this regex: > "<\s*(object|embed|script|applet|meta)" > > What Jochem is saying, is to add to that regex to filter for whatever else > you want and enable that setting. > > While I agree with Jochem that request filtering is NOT the appropriate way > to secure your application, this is a rather slick approach. > > Also note, this is NOT rewriting. It is not happinging at the network > level, nor is it happening at the web server level (Aache, IIS). The > requests are filtered when they reach ColdFusion. > > ~Brad ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311126 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
