RE: Securing your config.xml file
One other alternative, is to encrypt your xml file if you do not have any outside your webroot folders. But any decent host should do this by default, your FTP root should be non web accessible and have a webroot folder inside it. But really if such a small thing is an issue, then time to switch to hosts as dave says, I'll plug cfmxhosting.co.uk :-) Snake -Original Message- From: Dave Carabetta [mailto:[EMAIL PROTECTED] Sent: 26 August 2006 16:03 To: CF-Talk Subject: Re: Securing your config.xml file On 8/25/06, Will Tomlinson [EMAIL PROTECTED] wrote: Right now my config.xml file resides where it can be browsed and read easily. Ray C. helped me a while back on how to secure it. One of the options is to place outside the root and read it. This needs to work with a shared host so that's not a good option. Another was to setup a defaults.cfm file with the xml commented out. Then you read the file, taking out the comments. If someone browses to the file, they'd see nothing. I'm not sure why being on a shared host eliminates placing it outside of the web root. My personal site is on a shared host, and I have access to directories that are within my account, but outside of the web root. Further, you could set up a directory outside of your web root and ask your host to set up a mapping. If they won't let you do this, then it's time to switch to HostMySite.com, who is unbelievably accomodating when it comes to this sort of stuff. Regards, Dave. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:251180 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Securing your config.xml file
On 8/25/06, Will Tomlinson [EMAIL PROTECTED] wrote: Right now my config.xml file resides where it can be browsed and read easily. Ray C. helped me a while back on how to secure it. One of the options is to place outside the root and read it. This needs to work with a shared host so that's not a good option. Another was to setup a defaults.cfm file with the xml commented out. Then you read the file, taking out the comments. If someone browses to the file, they'd see nothing. I'm not sure why being on a shared host eliminates placing it outside of the web root. My personal site is on a shared host, and I have access to directories that are within my account, but outside of the web root. Further, you could set up a directory outside of your web root and ask your host to set up a mapping. If they won't let you do this, then it's time to switch to HostMySite.com, who is unbelievably accomodating when it comes to this sort of stuff. Regards, Dave. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:251139 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Securing your config.xml file
I agree with this. However, if a decent host isn't possible for some reason, an alternative is to do what Ray Camden now does with BlogCFC and other apps. 1) Give the XML config file a .cfm extension so it becomes config.xml.cfm or whatever 2) In the folder in which the XML file sits, use an Application.cfm that contains this: cfif listlast(cgi.script_name, /) is config.xml.cfm cfabort /cfif This means that when you read the file with XMLParse() all is ok but anyone browsing directly to the file sees nothing because the request is aborted. The only thing I would personally do different than Ray is to use GetFileFromPath(cgi.script_name) instead of listlast(cgi.script_name, /) but it's the same thing. On 8/26/06, Dave Carabetta [EMAIL PROTECTED] wrote: On 8/25/06, Will Tomlinson [EMAIL PROTECTED] wrote: Right now my config.xml file resides where it can be browsed and read easily. Ray C. helped me a while back on how to secure it. One of the options is to place outside the root and read it. This needs to work with a shared host so that's not a good option. Another was to setup a defaults.cfm file with the xml commented out. Then you read the file, taking out the comments. If someone browses to the file, they'd see nothing. I'm not sure why being on a shared host eliminates placing it outside of the web root. My personal site is on a shared host, and I have access to directories that are within my account, but outside of the web root. Further, you could set up a directory outside of your web root and ask your host to set up a mapping. If they won't let you do this, then it's time to switch to HostMySite.com, who is unbelievably accomodating when it comes to this sort of stuff. Regards, Dave. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:251141 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Securing your config.xml file
I agree with this. However, if a decent host isn't possible for some reason, an alternative is to do what Ray Camden now does with BlogCFC and other apps. Most excellent James! This is more of what I was lookin for. Not saying the other proposed options in this thread aren't good, this one is just more gooder for my situation. Thanks much! Will ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:251155 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Securing your config.xml file
Putting the XML file outside webroot works for me, no adiditonal software, isapi filters etc required. Snake -Original Message- From: Joseph Lamoree [mailto:[EMAIL PROTECTED] Sent: 26 August 2006 04:07 To: CF-Talk Subject: Re: Securing your config.xml file All of my servers run either Apache or support servlet filters. On the Apache sites, I use mod_rewrite; on the J2EE servers, I use the UrlRewriteFilter (http://tuckey.org/urlrewrite/). mod_rewrite: RewriteRule ^/config/.* / [R] UrlRewriteFilter: rule from.*/from condition type=request-uri^/config/.*/condition to type=redirect last=true//to /rule That does the trick for me. -- Joseph Lamoree ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:251169 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Securing your config.xml file
Putting the XML file outside webroot works for me, no adiditonal software, isapi filters etc required. I would strongly recommend this approach. If you don't want something to be accessible through your web server, don't put it in your web-accessible directories. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:251174 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Securing your config.xml file
I guess you could stash it in a DB... CF and DB's are pretty tied together already, but I do hate having DB reliant code in the init, just cuz. But I don't hate it so much I don't do it myself, when I have to ;-). Guess there's an example for when you're building CF websites or CF apps... it's different. Guess wish list item #2 would be some way for mapped paths to work on shared servers... #2 is more betterer than #1 though (fine grained debug control). Probably fundamentally undoable. (adding a mapped path without using cf admin). Good thing to think about though... if they use .htaccess maybe you could set a permission... --- tangent: I figured out how to create Apache md5 passwords, in case someone wants to create users/passwords via CF. (Figured out is too strong: I found a java lib that crypts the password right;) Not the most secure method though... (.htaccess) (and avail. depends on the host's setup, OfCourse) :-/ :D (ps- there's always plain old encryption too. Six of one though... ) On 8/25/06, Will Tomlinson [EMAIL PROTECTED] wrote: Right now my config.xml file resides where it can be browsed and read easily. Ray C. helped me a while back on how to secure it. One of the options is to place outside the root and read it. This needs to work with a shared host so that's not a good option. Another was to setup a defaults.cfm file with the xml commented out. Then you read the file, taking out the comments. If someone browses to the file, they'd see nothing. Could you use cfxml to do somethin along these lines? How does everyone else do this? Could I see some examples? Here's what I've got now. !--- Read config.xml and save all the values for use in APPLICATION scope--- cffunction name=loadApplicationVariables returntype=void output=false cfset var serverName = production cfset var xmlFilePath = D:/inetpub/***//config.xml !--- cfset var xmlFilePath = C:/cfusionmx7/wwwroot/**/config.xml--- cfset var key = cfset var thevalues = !--- Read and create a new CF XML document object--- cfset thevalues = XMLparse(#xmlFilePath#) !--- Create a struct with the setting values--- cfset APPLICATION.settings = StructNew() !--- Loop over the keys, saving their values to APPLICATION scope --- cfloop item=key collection=#thevalues.settings[serverName]# cfset APPLICATION.settings[key] = thevalues.settings [serverName][key].xmltext /cfloop /cffunction Thanks, Will ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:251107 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Securing your config.xml file
All of my servers run either Apache or support servlet filters. On the Apache sites, I use mod_rewrite; on the J2EE servers, I use the UrlRewriteFilter (http://tuckey.org/urlrewrite/). mod_rewrite: RewriteRule ^/config/.* / [R] UrlRewriteFilter: rule from.*/from condition type=request-uri^/config/.*/condition to type=redirect last=true//to /rule That does the trick for me. -- Joseph Lamoree ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:251116 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
