Mango



Thread: CreateObject(java)

Created on: 10/13/07 03:01 PM

New topic Reply    Page: 1  

Replies: 3
JoshRodgers


JoshRodgers's Gravatar
Joined: 07/24/06
Posts: 161

10/13/07 3:01 PM

Laura,

I have a security setting from my host company that does not allow createObject(java)

After I set up Mango and I try and access the admin section i received the security error message.

Is there a way around using createObject(java)

The error occurred in ...\FileManager.cfc: line 33



31 :    <cfargument name="extensions" required="false" default="*" type="string">

32 :    

33 :       <cfset var rootDir = createObject("java","java.io.File").init(arguments.root)/>

34 :       <cfset variables.basePath = rootDir.getCanonicalPath()/>

35 :       <cfset this.path = variables.basePath/>



31 :    <cfargument name="extensions" required="false" default="*" type="string">

32 :    

33 :       <cfset var rootDir = createObject("java","java.io.File").init(arguments.root)/>

34 :       <cfset variables.basePath = rootDir.getCanonicalPath()/>

35 :       <cfset this.path = variables.basePath/>
Link | Top | Bottom
JoshRodgers


JoshRodgers's Gravatar
Joined: 07/24/06
Posts: 161

10/13/07 10:19 PM

Laura,

The host co I am using wont allow createObject(java) because of the security issues when its allowed. Actually most host companies wont allow it.

Can any of the cfdirectory, cffile, or any of the "Get" file path functions be used to replace what you have in fileManager.cfc? Currently it poses a major security issue on shared hosting environments, which is where most blogs run on.

<cffunction name="init" output="false" returntype="any" hint="instantiates an object of this class" access="public">

   <cfargument name="root" required="true" type="any">

   <cfargument name="extensions" required="false" default="*" type="string">

   

      <cfset var rootDir = createObject("java","java.io.File").init(arguments.root)/>

      <cfset variables.basePath = rootDir.getCanonicalPath()/>

      <cfset this.path = variables.basePath/>

      <!--- check that the base path exists --->

      <cfif NOT directoryexists(variables.basePath)>

         <cfthrow message="Base path does not exist"/>

      </cfif>



      <cfset variables.extensions = arguments.extensions />

      <!--- get the system file separator --->

      <cfset variables.fileSeparator = createObject("java","java.io.File").separator />

      

      <cfreturn this />

</cffunction>



<cffunction name="getResolvedPath" output="false" description="Returns the aboslute path"

               access="private" returntype="string">


   <cfargument name="path" required="true" type="string" />



   

      <cfset var dir = createObject("java","java.io.File").init(variables.basePath & arguments.path) />

      <cfreturn dir.getCanonicalPath() />

      

</cffunction>



Link on security issues:
http://www.adobe.com/devnet/security/security_zone/mpsb04-10.html

http://forums.webhostautomation.com/showthread.php?t=7036
Link | Top | Bottom
Laura

Wizard
Laura's Gravatar
Joined: 01/29/05
Posts: 1538

10/14/07 9:05 PM

Hi Josh,
The simplest fix would be to remove the File Explorer if you don't plan to use it.

As a general solution, I would have to see what I can do. Most of the calls are simply to get the correct platform file separator, which would be easy to replace, but the getCanonicalPath call would be more difficult to change. I use that to make sure the file explorer is not trying to navigate off the allowed root directory. There is one function I think I could use, but I would need to investigate a little more.
Link | Top | Bottom
JoshRodgers


JoshRodgers's Gravatar
Joined: 07/24/06
Posts: 161

10/15/07 6:59 AM

Good morning Laura,

I went with the simplest fix for now, although I already miss the file explorer :)

Looks like you only call that java object 3 times in the fileExplorer.cfc, once for the file seperator on the system and twice when you call the getCanonicalPath() (init function and getResolvedPath function)

I started playing with it Sunday trying to find a fix, but ran out of time so I just commented out all the calls to the fileExplorer temporarily.
Link | Top | Bottom

New Post

Please login to post a response.