What you can do is name all includes with a preceeding naming convention, such as an underscore. Then don't pass the entire name in the URL, add the preceeding naming convention in the cfinclude.
Allowable include name: _allowed.cfm template.cfm?filename=taboo.cfm <cfinclude template="_#URL.filename#"> You can enclose in CFCATCH and CFTHROW to catch when someone is trying to feed a template that isn't allowed. You can also prevent includes from being called directly by including a little code in the Application.cfm: <!--- Disallow calling files directly ---> <cfif left(CGI.scriptname, 1) IS "_"> You cannot call this template directly. <cfabort> </cfif> HTH, Sharon DiOrio ----- Original Message ----- From: "David Grabbe" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, March 19, 2002 2:55 PM Subject: RE: Need help with mappings in CF Admin > Are there any safeguards I can use to protect against this? > > David > > ------------------------------------ > David Grabbe > Manager, Information Systems > Church of the Great God > [EMAIL PROTECTED] > http://www.cgg.org > > > > -----Original Message----- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, March 19, 2002 2:57 PM > To: CF-Talk > Subject: RE: Need help with mappings in CF Admin > > > [snip] > > Also, it's worth noting that there's a possible security issue in using > information from the browser to build the TEMPLATE attribute of a CFINCLUDE > tag, since the end user could potentially change that information to > reference a file that you don't want to include. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > > > ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
