I want to make sure I'm understanding this right - according to wikipedia, you should URL encode cflocation values when they come from variables? More specifically, a variable like cgi.HTTP_HOST? It's odd to me that ColdFusion doesn't automatically verify something like that first. From the article, it sounds like PHP already does some validation.
> This code is insecure and subject to HTTP Response Splitting. You > need to validate the various CGI variables before responding with a > 302 redirect. Or, preferably, you use DNS to resolve both URLs to the > same server. > > http://en.wikipedia.org/wiki/HTTP_response_splitting > > -dhs > > Dean H. Saxe, CISSP, CEH > [EMAIL PROTECTED] > "Dissent is the purest form of patriotism." > --Thomas Jefferson > > > > On Apr 25, 2008, at 9:53 AM, Ajas Mohammed wrote: > >> Hi, >> >> I have a client who has url say www.xyz.com. They want a new url >> www.abc.com >> so that when user enters www.xyz.com, the user should see >> www.abc.com in his address bar of browser. Basically an alias/ >> redirection with address bar showing the new url. I could have done >> redirection by dns names/url redirection at website level but >> problem is I have a subfolder application i.e. www.xyz.com/subapp. >> >> Now if I do dns/url redirection, and user tries to access subfolder >> application with this url, www.xyz.com/subapp/home.cfm, it takes the >> user automatically to www.abc.com/home.cfm i.e. the main application >> without the subfolder application, and I dont want that. It should >> take user to www.abc.com/subfolder/home.cfm. >> >> So to avoid this redirection at the website level, I added this code >> in Application.cfm >> >> Code: >> <!-- Relocate if not a secure connection --> >> <cfif cgi.SERVER_PORT is "80" and CGI.SERVER_PORT_SECURE is "0"> >> >> <!---replace xyz with abc ---> >> <cfset x = "https:// >> #Replace(cgi.HTTP_HOST,"xyz","abc")##cgi.PATH_INFO#"> >> >> <cfif cgi.query_string is ""> >> <cfset y = ""> >> <cfelse> >> <cfset y = "?#cgi.query_string#"> >> </cfif> >> >> <cflocation url="#x##y#"><cfabort> >> >> <cfelseif cgi.HTTP_HOST contains "xyz"> >> >> <!---replace xyz with abc---> >> <cfset x = "https:// >> #Replace(cgi.HTTP_HOST,"xyz","abc")##cgi.PATH_INFO#"> >> >> <cfif cgi.query_string is ""> >> <cfset y = ""> >> <cfelse> >> <cfset y = "?#cgi.query_string#"> >> </cfif> >> >> <cflocation url="#x##y#"><cfabort> >> >> </cfif> >> My question to you guys is that >> >> 1. is this a good practice ? >> >> 2. do you see any security issues? >> >> 3. any performance issues? >> >> 4. does it ring any bells? >> >> 5. anything obvious iam missing here or do you have a better solution? >> >> Thanks, >> >> -- >> <Ajas Mohammed /> >> http://ajashadi.blogspot.com >> No matter what, find a way. Because thats what winners do. >> You can't improve what you don't measure. >> Quality is never an accident; it is always the result of high >> intention, sincere effort, intelligent direction and skillful >> execution; it represents the wise choice of many alternatives. >> "Live as if you were to die tomorrow. Learn as if you were to live >> forever." >> ------------------------------------------------------------- >> Annual Sponsor - Figleaf Software >> >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa=login.edituserform >> >> For more info, see http://www.acfug.org/mailinglists >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by FusionLink >> ------------------------------------------------------------- > > ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------