Yeah I think I got myself confused there, have a blinding headache and wasn't thinking on that one.
The point Steve needs to understand is that this is changeable, and that means that someone can easily come along and change the framework. That means there should be a warning of some degree that by making these changes they could be potentially putting a security risk into the framework. Whether he does that or not is up to him, but I think that a warning should be applied to this because it is accessible form the URL. I think that he has done enough to secure it at the base level, but remember someone who doesn't understand can come along and remove the application.cfm and not think twice about the security put in place. Does that make my position a little clearer? Regards, Andrew Scott http://www.andyscott.id.au/ > -----Original Message----- > From: David McGraw [mailto:david.mcg...@gmail.com] > Sent: Wednesday, 5 January 2011 9:31 AM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > How would CF server know to process a .cfm file unless you pre-configured > your IIS or Apache to tell CF to process and execute PNGs? I'm honestly > asking. > > I agree that your files should not be in the webroot, but it sounds like you can > easily use a dynamic loader script, and configure the framework to save and > load files in anything location you would like. I don't think anyone is NOT > agreeing with you about the security. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340432 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm