Highlighted

Read application variables from components outside webroot

LEGEND ,
Aug 28, 2017

Copy link to clipboard

Copied

Hello, all,

I'm trying to set up our projects so that the components folder will not be inside webroot, primarily due to bots attempting to spider our site and generating error emails every time they get to our components folder.

One thing that I've noticed (and it makes sense) is that application variables are not available to the components when the components are not in webroot.  For example, I have a CFTRY/CFCATCH set up in a function that will email the error information to us.  The "to" attribute is set to "application.errorEmail" which is set to my email address in application.cfc, but the components outside webroot can't get application.errorEmail.

Will I have to manually set application variables in the components in order to keep them out of webroot?  Or is there a simpler way to get the application variables to the components?

V/r,

^ _ ^

Views

252

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Read application variables from components outside webroot

LEGEND ,
Aug 28, 2017

Copy link to clipboard

Copied

Hello, all,

I'm trying to set up our projects so that the components folder will not be inside webroot, primarily due to bots attempting to spider our site and generating error emails every time they get to our components folder.

One thing that I've noticed (and it makes sense) is that application variables are not available to the components when the components are not in webroot.  For example, I have a CFTRY/CFCATCH set up in a function that will email the error information to us.  The "to" attribute is set to "application.errorEmail" which is set to my email address in application.cfc, but the components outside webroot can't get application.errorEmail.

Will I have to manually set application variables in the components in order to keep them out of webroot?  Or is there a simpler way to get the application variables to the components?

V/r,

^ _ ^

Views

253

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Aug 28, 2017 0
Adobe Community Professional ,
Aug 29, 2017

Copy link to clipboard

Copied

In my opinion, it is generally poor design to set an application variable in a component. That is because it increases coupling.

You could improve the design by passing any application variables to the component. Something like this,

<cfcomponent >

    <cfset variables.appVar = "">

   

    <!--- Call init when creating object instances, ensuring each will have a copy of appVar --->

    <cffunction name="init" returntype="any">

        <cfargument name="appVar">   

          <cfset variables.appVar = arguments.appVar>

        <cfreturn this>

    </cffunction>

</cfcomponent>

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 29, 2017 0
LEGEND ,
Aug 29, 2017

Copy link to clipboard

Copied

Hi, BKBK​,

There are too many application variables for me to pass all of them to each component.  And this is being accessed via AJaX for a form submit.  Some of the application variables are email addresses, some are DSN names.  I'm not sure I feel 'secure' sending that information via AJaX.

I guess what I was hoping for would be for a way to either CFINCLUDE the root application.cfc, or somehow extend the root application.cfc into the out-of-webroot components folder.  Are you aware of any way to do either?

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 29, 2017 0
Adobe Community Professional ,
Aug 31, 2017

Copy link to clipboard

Copied

WolfShade  wrote

There are too many application variables for me to pass all of them to each component. 

Then you could pass just one variable, the application scope. That is, the structure.

And this is being accessed via AJaX for a form submit.  Some of the application variables are email addresses, some are DSN names.  I'm not sure I feel 'secure' sending that information via AJaX.

AJAX? I was only thinking of an init() to instantiate the component object. I am assuming that your application accesses the component via a mapping that you have created to point to the CFC folder.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 31, 2017 0
LEGEND ,
Aug 31, 2017

Copy link to clipboard

Copied

I'm using CFAJAXPROXY to bring the CFCs into JavaScript.

<cfajaxproxy cfc="components.ERC" jsclassname="ERC" />

...

<script>

var thisComponent = new ERC();

var postData = $('#' + formObjId).serializeArray();

function displayResult(res){  ... }

function displayFailed(res){ ... }

thisComponent.setHTTPMethod('POST');

thisComponent.setCallbackHandler(displayResult);

thisComponent.setErrorHandler(displayFailed);

thisComponent.dtsSurvey(formArray=postData);

</script>

But with the CFCs existing outside of the application, application variables are broken.  #application.errorEmail# doesn't exist for the CFTRY/CFCATCH emails when something breaks.

I'll give a shot at passing the application scope.  Hadn't considered that. 

The mapping of the component folder is in Application.cfc:

<cfset this.mappings['/components'] = ReplaceNoCase(ExpandPath('.'),'{a lot of regex}/components') />

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 31, 2017 0
Adobe Community Professional ,
Aug 30, 2017

Copy link to clipboard

Copied

Something got me wondering.

WolfShade  wrote

I'm trying to set up our projects so that the components folder will not be inside webroot, primarily due to bots attempting to spider our site and generating error emails every time they get to our components folder.

You could just configure your Robots.txt file to prevent bots from crawling parts of your website.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 30, 2017 0
LEGEND ,
Aug 30, 2017

Copy link to clipboard

Copied

Reputable search engines will comply with robots.txt.  Sadly, not all search engines are reputable.  That would stop maybe 10% of all the bots on the internet.  There are many who completely ignore robots.txt.

Also, Robots.txt will not stop users from trying to spider and find the components folder and access them directly.  Only placing the components folder outside of the webroot will prevent direct unauthorized access to the functions.

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 30, 2017 0