Requesting application.cfm directly

Hello,

I’m old ColdFusion user (1996-2003) who couldn’t resist taking a look at
Lucee V5. I’m running 5.0.0.178-BETA on a Windows 7 Home Premium test
machine.

I noticed that I can request application.cfm directly in a browser URL and
it executes. That’s not supposed to happen, is it?

Also, didn’t there used to be a rule that any CFM whose name started with
underscore could not be directly requested? I’m foggy here – might be
thinking of another product. I know that’s how I used to name my include
CFM files, back in the day. As I said I’m an old ColdFusion user.

Thanks and good luck. The product looks great!

KM

Thanks for the kind replies.

I was aware of Application.cfc et al. That stuff came into ColdFusion at
about the same time I was going out. (smile) I’ve got a bunch of old CF
apps that I’m trying to revive, just as an experiment and refresher. So
far, I’m impressed with how much of my old CF code works just fine under
Lucee 5. I was even able to get the old Access databases hooked up via JDBC
/ ucanaccess. That was unexpected!

I started with CF when I got a free copy (of version1,5) bundled along with
the spiffy O’Reilly WebSite server in 1996. I stayed with it through
version 5. It’s cool to see that CFML is still alive and well.

KM

I noticed that I can request application.cfm directly in a browser URL and
it executes. That’s not supposed to happen, is it?

Yes. It should. Try using .cfc as it should be.

There is no such rule to my knowledge, but I started CF in 2000. Your best
bet to prevent people from looking at your files is to put them above
webroot (and then index.cfm include them) .On Sun, Mar 20, 2016 at 5:32 PM, <@kmeade.qwerty> wrote:

Hello,

I’m old ColdFusion user (1996-2003) who couldn’t resist taking a look at
Lucee V5. I’m running 5.0.0.178-BETA on a Windows 7 Home Premium test
machine.

I noticed that I can request application.cfm directly in a browser URL and
it executes. That’s not supposed to happen, is it?

Also, didn’t there used to be a rule that any CFM whose name started with
underscore could not be directly requested? I’m foggy here – might be
thinking of another product. I know that’s how I used to name my include
CFM files, back in the day. As I said I’m an old ColdFusion user.

Thanks and good luck. The product looks great!

KM

–
Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/3deeb7c0-4aa3-4cc2-a7d9-41cf1da3f1bf%40googlegroups.com
https://groups.google.com/d/msgid/lucee/3deeb7c0-4aa3-4cc2-a7d9-41cf1da3f1bf%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Hey KM,

Welcome back to CFML land! A lot has changed since you’ve been gone, as
you can imagine.

First, while Application.cfm is still supported for backwards
compatibility with older CFML engines, it is no longer the proper
implementation for new application development. You should instead now use
Application.cfc -
see http://www.learncfinaweek.com/week1/Application_cfc/ for more
information and a good primer on that. The rest of the site is likewise a
good primer overall if you’re getting back into CFML. And yes,
Application.cfm has always been able to be directly called.

I’ve been doing CF since v4, but don’t recall there ever being a rule
specific to CFML that would prevent files starting with an underscore from
being directly accessed. It would be possible to create a rule for this in
any modern http server (e.g. Apache, IIS, etc.) that would block a direct
request to those files, but I don’t seem to remember it every being part of
CFML itself. But I’m old and senile now, so… it’s feasible an early
version had this capability.

Again, welcome back and if you get back into CFML in any serious way you
might want to consider joining local/online user groups and/or going to one
of the conferences (dev.Objective() in MN, CF Summit in Vegas or NCDevCon
in Raleigh, NC) this year to catch up on all the new bells and whistles,
and gain new techniques such as OOP… and MVC frameworks like FW/1
(framework one) and ColdBox. (google any of that you find interesting lol)

– DennyOn Sunday, March 20, 2016 at 10:40:26 PM UTC-4, km wrote:

Hello,

I’m old ColdFusion user (1996-2003) who couldn’t resist taking a look at
Lucee V5. I’m running 5.0.0.178-BETA on a Windows 7 Home Premium test
machine.

I noticed that I can request application.cfm directly in a browser URL and
it executes. That’s not supposed to happen, is it?

Also, didn’t there used to be a rule that any CFM whose name started with
underscore could not be directly requested? I’m foggy here – might be
thinking of another product. I know that’s how I used to name my include
CFM files, back in the day. As I said I’m an old ColdFusion user.

Thanks and good luck. The product looks great!

KM

Hi Dudes

just for information, this is what I get when I try to call application.cfm
on a Coldfusion 8 Server directly in the URL by
http://…/application.cfm
Seems KM is absolutely right, although I never thught about that in
particular until today

Invalid request of Application.cfm, Application.cfc, or OnRequestEnd.cfm
file.
You have requested a page with the name application.cfm. This file name is
reserved by the ColdFusion engine for the specification of application
level settings; as a result, it cannot be directly requested from a web
client.

If you are creating a template that is intended for direct access by end
users, use a name other than Application.cfm or OnRequestEnd.cfm.

best regards from florida
raffael meierAm Montag, 21. März 2016 19:15:45 UTC+1 schrieb Denard Springle:

Hey KM,

Welcome back to CFML land! A lot has changed since you’ve been gone, as
you can imagine.

First, while Application.cfm is still supported for backwards
compatibility with older CFML engines, it is no longer the proper
implementation for new application development. You should instead now use
Application.cfc - see
http://www.learncfinaweek.com/week1/Application_cfc/ for more information
and a good primer on that. The rest of the site is likewise a good primer
overall if you’re getting back into CFML. And yes, Application.cfm has
always been able to be directly called.

I’ve been doing CF since v4, but don’t recall there ever being a rule
specific to CFML that would prevent files starting with an underscore from
being directly accessed. It would be possible to create a rule for this in
any modern http server (e.g. Apache, IIS, etc.) that would block a direct
request to those files, but I don’t seem to remember it every being part of
CFML itself. But I’m old and senile now, so… it’s feasible an early
version had this capability.

Again, welcome back and if you get back into CFML in any serious way
you might want to consider joining local/online user groups and/or going to
one of the conferences (dev.Objective() in MN, CF Summit in Vegas or
NCDevCon in Raleigh, NC) this year to catch up on all the new bells and
whistles, and gain new techniques such as OOP… and MVC frameworks like
FW/1 (framework one) and ColdBox. (google any of that you find interesting
lol)

– Denny

On Sunday, March 20, 2016 at 10:40:26 PM UTC-4, km wrote:

Hello,

I’m old ColdFusion user (1996-2003) who couldn’t resist taking a look at
Lucee V5. I’m running 5.0.0.178-BETA on a Windows 7 Home Premium test
machine.

I noticed that I can request application.cfm directly in a browser URL
and it executes. That’s not supposed to happen, is it?

Also, didn’t there used to be a rule that any CFM whose name started with
underscore could not be directly requested? I’m foggy here – might be
thinking of another product. I know that’s how I used to name my include
CFM files, back in the day. As I said I’m an old ColdFusion user.

Thanks and good luck. The product looks great!

KM

You should be able to block access to a file via your webserver.