On Sun, Aug 17, 2008 at 2:08 AM, Jochem van Dieten wrote: > denstar wrote: >> On Sat, Aug 16, 2008 at 6:15 AM, Jochem van Dieten wrote: >>> I haven't mentioned this before because I do believe that filtering >>> request URLs is the wrong approach >> >> Care to elaborate on this? > > Filtering means "allow unless it matches". A security measure should be > "deny unless it matches".
So long as it's simple list of matches, right? If the list is too complicated, you get the Godel's Theorem effect, neh? :-) Heh, I can see it now-- MG3 not only auto-generates your controllers and XML and whatnot, but using the power of introspection, it adds rewrite rules to your vhost conf file per event, with type-binding! That actually sounds pretty cool. See, I'm wondering if this is closer to searching than security, per-se. Sorta thinking (it's getting late, so bear with me :) of a lame example: I could parse a paragraph looking for every word that's good, and tossing out the swear-words-- or just look for swear-words. Which is going to be faster? Which list is longer? Maybe that analogy is broken. Probably. Hmm... Yup, cause you'd have to throw in that they could make up new curses as well, without you even knowing. Hmm... Well, I'm sure you get the point I'm trying to make by now (which could be a non-point), but I'll elaborate further, because I'm not sure if it is a point :-)p I'd want the lowest-level, most used to be the fastest checks, and the highest level, least used to be the slowest, most thorough. In an ideal world, you could run the highest all the time, but that might be a fake world, because the more encrypted you get, the longer it takes, not only to break, but to encode and decode. Maybe. Probably another broken analogy (and a lie ta boot), but whatever. :) Hmm... if you've got access to all the data at each level (what to allow, say, in rewrite rules, or query parameters, etc.), I don't see why you couldn't lock it down to only what's possible, vs. what could be. It would take organization tho. Borg-like, Terminator-making organization. :-) Or maybe you've got a simple solution, to how one would limit URL requests to only allowable values? I can't see anything short of automation, but that's why this is taking so long. Probably overlooking something simple. Eh. What's your scenario, to help me grok this here, Jochem? Search Engine Safe? Ha! That's simple! Force a pattern-- string([A-z]), number, string! Easy. Is that a solve? Damn. This, by now dead, horse is freaking beat. I'm going to sign off now... -- slowly steps away from the keyboard... -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311147 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
