I can certainly see the advantage in NOT routing everything through index.cfm, it is more SEO friendly without having to use URL rewriting etc, plus I would expect the pages to be more editable. This is one annoying thing with frameworks in general, if you are not using a CMS then editing content can be a real pain as you can't just pop the page open in Dreamweaver and edit the layout as it won't display properly due to the missing formatting and CSS which is in another file. And congrats for coming up with a name that does not have "cf" "cold" "fusion" or "fuse" in the the name :-)
Russ -----Original Message----- From: Steve Bryant [mailto:st...@bryantwebconsulting.com] Sent: 05 January 2011 17:39 To: cf-talk Subject: Re: Beta Tester Wanted for new CF (MVC) Framework Russ, Thanks for your comment and encouragement. The scrutiny is certainly valid. I don't think the problem is as serious as it first appeared, but it is with regard to all uploaded files handled by the framework so it is a pretty significant area of concern and definitely something I am glad to have others help me think through. As to the "need" for another framework, I think I have heard that point raised about every ColdFusion framework released since Fusebox came out ("We already have Fusebox, why do we need another framework?"). In this case, I think Neptune is quite a bit different from what is out there already. For one thing, all the other major frameworks route all requests through index.cfm and Neptune doesn't. Assuming I am not the only one who dislike this paradigm then it is worth offering it for that. For another, I think (keeping in mind that I am biased) that it is much easier than any other framework. Almost every time I read about how to something in another framework I think "It is easier than that for us". For anyone even a little curious, I would recommend reading the "Getting Started" section. It includes links to how to do the same thing in ModelGlue:Unity and in CFWheels. You can imagine it in other frameworks as well. See for yourself which you think is easier. http://www.bryantwebconsulting.com/docs/neptune/installation.cfm I'm not trying to knock other frameworks here ("easier" often depends on the problems being solved, for example) - just to point out that I think Neptune does have something different to offer than what exists already. Thanks, Steve >Steve, > >I'm personally not sure if yet another framework is needed, we have >quite a few now from simple (cfwheels or FW/1) for all singing all >dancing OOP behemoths (ColdBox) but kudos for trying and I hope it works out for you. >While I think all these security concerns are valid, and it would be >gr8 if your framework handled these automatically, I think perhaps >other are being a bit harsh and jumping on your back a bit quick. I >wonder if the other frameworks and popular open source apps have been >scrutinised like this and cover all these security bases and are this >secure, I wouldn't like to bet any money on it, and I certainly know >that some of the ones I have used really do little more than use >CFPARAM or CFQUERYPARAM to protect against injection, and there is >certainly no consideration for the temp file execution scenario. I have >not read the entire conversation so I do not know the context of the >file uploads inside webroot, but if this is only for installation/setup >then I would not consider this a security concern as only the admin >will be doing this and then presumably this feature will be disabled anyway. >The most popular apps in the world with web based installers do not >even cater for this scenario, such as wordpress for example, they >simply make sure that the installer/setup no longer works once you have >completed the process so that a hacker cannot get in and mess with your site. >If that is not the context for this issue and it is uploads in general, >then I guess that is a moot point. > > >-- >Russ Michaels >www.cfmldeveloper.com - Supporting the CF community since 1999 FREE >ColdFusion/Railo hosting for developers. > >blog: www.michaels.me.uk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340471 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
