Hi,
I recently found in my error logs a request to a page using
METHOD=OPTIONS...
I didn't even know this couls exist.
Apparently, thes requests are sent by Microsoft Office, in this
occurrence, while receiving some CSV file.
This caused an error in my system because no parameter the template was
expecting in the URL or the FORM scope
was present.
Obviously, my application does not support these requests, and I don't
intend to do it.
I haven't find any procedure that would limit methods at server level in
MSIS.
Then I'm planing to add some check in my Application.cfm to limit
requests to the only type I support,
ie POST and GET, ie:
<CFIF listFindNocase("POST,GET", CGI.REQUEST_METHOD) EQ 0>
<cfheader statuscode="405" statustext="Method Not Allowed">
<CFABORT>
</CFIF>
But I see many other types of requests
( http://www.askapache.com/online-tools/request-method-scanner/ )
including MOVE, COPY or DELETE!
My question: is: it safe to allow only GET and POST?
What is the best practice in CF?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326634
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
