QuickTip: The Implications of Using CFCONTENT on a Production Server

On the CFAussie list, Greg McCarthy said that he is auto-generating a CSV format file from the results of a query, and using CFCONTENT to kick off the download. He had three questions:

1. At the moment, the filename the browser prompts the user to save is called search_results.cfm (the code that generates the CSV). Is it possible to change the downloading filename (bearing in mind that all of this output is dynamically generated by a .cfm page)?

   Michael Smith (michael@teratech.com) said that Greg could add an extra path of the file name one wanted to save as. For example, in his A HREF to the page, instead of http://www.mysite.com/search_results.cfm, Greg would put http://www.mysite.com/search_results.cfm/myotherfilename.csv.

   This would change the download file name to myotherfilename.csv

2. What are the security implications of enabling CFCONTENT on the server this will be run on?

   Michael said that another programmer could use CFCONTENT in a CFM file to display any of the source code from any of the files in any directory on the box. They would have to first upload this naughty CFM to the box...

3. If one is unable to use CFCONTENT, what else can do the same thing?

   There is an article on this subject on the MDCFUG site. http://www.cfug-md.org/meetings.cfm The article is called "Joan Falcao from NIST spoke about 'Downloading CF Data into Excel'". The file is http://www.cfug-md.org/ExportExcel.ppt

• Subscribe
• RSS

• Editorial
• Specials
• Community
• News
• Tech and Tags
• Views
• Reviews
• Techniques
• Security
• Best of ColdFusion Talk
• Knowledge Base
• Blog Watch

• Tipical Charlie