All geek questions in one place

ColdFusion security by checking ARGUMENTS.TargetPage in Application.onRequestStart?

I have a ColdFusion application in which I want to restrict access to certain pages based on some criteria. I am currently doing it like this: Application.cfc:

<cffunction name="OnRequestStart" access="public" returntype="boolean" output="true">
  <cfargument name="TargetPage" type="string" required="true" />
  <cfif not SESSION.isAdmin and REFindNoCase("/admin",ARGUMENTS.TargetPage) >
    <!--- Deny non-admin access to admin pages. --->
    <cfinclude template="/notauth.cfm">
    <cfreturn false />
  </cfif>
  <cfreturn true />
</cffunction>

My main problem: how vulnerable is the general approach of TargetPage validation to regular expressions and are there ways to improve the security of this design? In particular, I am interested in avoiding "canonical representation vulnerabilities." See here .

For example, using only REFind instead of REFindNoCase will allow people to go down directly if they go to "/ ADMIN /". Are there any other things to keep track of this?

, , , Application.cfc . . , , , , , - . .

+3
3

, , :)

: ( ), (.. ).

, , script (CGI.SCRIPT_NAME) , , APPLICATION, onApplicationStart() qRestrictedList.

, onRequestStart :

<cfquery name="qThisPageRestricted" dbtype="query">
  SELECT * FROM qRestrictedList
  WHERE ScriptName = '#CGI.SCRIPT_NAME#'
</cfquery>

<cfif qThisPageRestricted.recordCount and not SESSION.isAdmin>
  <cfinclude template="/notauth.cfm">
  <cfreturn false />
</cfif>

, , "CFC" , .. onRequestStart() .

, .

, .

+1

, :

REFindNoCase("\/admin\/([A-Za-z_]+)\.cfm", ARGUMENTS.thePage)
0

A better approach would be to put application.cfc in the / admin directory, which controls access (possibly based on the SESSION variable set at administrator login), and have this "child" application.cfc link to the parent one if necessary.

See this question for an example on how to do this: Extension application.cfc in a subdirectory

0
source

Source: https://habr.com/ru/post/1790009/

More articles:


All Articles