Ben Nadel
On User Experience (UX) Design, JavaScript, ColdFusion, Node.js, Life, and Love.
I am the chief technical officer at InVision App, Inc - a prototyping and collaboration platform for designers, built by designers. I also rock out in JavaScript and ColdFusion 24x7.
Meanwhile on Twitter
Loading latest tweet...
Ben Nadel at CFUNITED 2010 (Landsdown, VA) with: Ellen Kaspern

Target ColdFusion Template Gets Compiled Even If Not Executed

By Ben Nadel on
Tags: ColdFusion

A while back, I had suggested a hack to get ColdFusion-based security on non-ColdFusion files by adding a ".cfm" file extension. Then, in the Application.cfc's OnRequest() event method, intercepting those file requests, checking security permissions, and streaming the requested files (using CFContent). Since the requested file was never being executed (only streamed), it never occurred to me that it would matter what type of file it was.

As Regs pointed out to me, this was an incorrect assumption. Apparently, the requested template gets compiled even if it is never executed. This can cause problems, as he points out, if the file contains ColdFusion-tag-like data that starts with "<cf". To test this, I set up a tiny application that never includes the requested file, but rather a default file. Here is the ColdFusion Application.cfc file:

  • <cfcomponent
  • output="false"
  • hint="Handles the application level events and application settings.">
  •  
  •  
  • <!--- Define application settings. --->
  • <cfset THIS.Name = "SecurityTest2" />
  • <cfset THIS.ApplicationTimeout = CreateTimeSpan( 0, 0, 10, 0 ) />
  • <cfset THIS.SessionManagement = false />
  • <cfset THIS.SetClientCookies = false />
  •  
  • <!--- Define page settings. --->
  • <cfsetting
  • requesttimeout="20"
  • showdebugoutput="false"
  • />
  •  
  •  
  • <cffunction
  • name="OnRequest"
  • access="public"
  • returntype="void"
  • output="true"
  • hint="Fires after pre page processing is complete - when determining which template to ultimately execute.">
  •  
  • <!--- Define arguments. --->
  • <cfargument
  • name="TargetPage"
  • type="string"
  • required="true"
  • />
  •  
  • <!---
  • Include the default page regardless of what page
  • was actually requested.
  • --->
  • <cfinclude template="default.cfm" />
  •  
  • <!--- Return out. --->
  • <cfreturn />
  • </cffunction>
  •  
  • </cfcomponent>

Notice that default.cfm is included no matter what happens. This is just a simple HTML file. But, I am gonna put in a bunk index.cfm in that directory:

  • asdlfj alksdf lkajdf lajlfj ald fladsfs
  • adfj aldjflajsdf ajsdf asdf alsdflasdlfl
  • adf adsfasdf asf<cfset adkfjasdlf asdf />
  • ljlaj dlfjals dfljasd flajsdl fasjdlfj al

Notice the poorly formeed ColdFusion CFSet tag mixed in with the random characters. This is meant to simulate the random text that might show up in a secure file.

Ok, so when the index.cfm ColdFusion template is requested, what I assumed would happen is that the default.cfm template would be executed and everything would go smoothly. But, no; just at Regs pointed out, ColdFusion throws an error:

Invalid CFML construct found on line 3 at column 35. ColdFusion was looking at the following text: asdf The CFML compiler was processing: * a cfset tag beginning on line 3, column 18.

I don't like this behavior. It doesn't feel right. The whole point of a conditional CFInclude tag is that the file only gets executed if it actually gets included. This target page compilation goes against this idea, not to mention it makes my security hack totally unusable.




Reader Comments

Yeah, the hack is unusable. Unfortunately the best way to secure files is to move them out of webroot and then use:
<CFHTMLHEAD text="<title>Download #finalName#</title>" />
<CFHEADER NAME="content-disposition" VALUE="#theAction#; filename=#finalName#">
<CFCONTENT TYPE="#mimetype#" FILE="#downloadFile.file_name#" DELETEFILE="No">

It sucks, but it's not that bad. You could code up a system rather quickly and you'll never have to think about it again.

Reply to this Comment

At CFUnited this year someone (New Atlanta, Microsoft?) showed how IIS8 can use any ISAPI application to handle IIS requests. I don't recall the exact details but I think one of the examples was for security of any file.

Reply to this Comment

@Todd,

Yeah, agreed. Oh well.

@Dan,

I remember that, I think. Was that the presentation about tapping into the "request pipeline" at any point so that CF(BD) could reach in before IIS processes files or something. I vaguely remember it, but much of the presentation went way over my head as I am not very familiar with IIS at all.

Reply to this Comment

Post A Comment

?
You — Get Out Of My Dreams, Get Into My Comments
Live in the Now
Oops!
Comment Etiquette: Please do not post spam. Please keep the comments on-topic. Please do not post unrelated questions or large chunks of code. And, above all, please be nice to each other - we're trying to have a good conversation here.