问题
Several pieces of ColdFusion functionality - media player and multi file uploader - are predicated on JavaScript libraries being available at /CFIDE/scripts, even if the scriptsrc is configured in Application.cfc. See the bug here for a point of reference: http://www.elliottsprehn.com/cfbugs/bugs/83328
Unfortunately exposing the CFIDE directory as-is from a ColdFusion installation is a security risk. So I'm trying to decide the right path forward to enable my application's use of this functionality whilst not exposing this hole. The wrinkle is that I am shipping a product so I am trying to imagine a solution that I can either automate with an installer or document easily enough that a system administrator should have no trouble setting up.
These are the options I've come up with:
- Document to, or have the installer, create an empty directory and virtually map it as
/CFIDE. Copy the contents of thescriptsfolder from the ColdFusion installation beneath it. - Distribute just the files I need modified and ensure the referenced .swfs are in the whatever location it's changed to (paths are relative to CFIDE/scripts):
/ajax/package/cffileupload_swf.js/ajax/package/cfmediaplayer.js
Which option seems better? Or do you have a better idea?
回答1:
You could simply map the full scripts folder. Rather than map /CFIDE, map /CFIDE/scripts. This would expose the scripts folder, but /CFIDE wouldn't exist at all.
Another similar option is to copy the scripts folder to somewhere "common" and again create a /CFIDE/scripts mapping to this folder.
Both of these solutions are virtually identical, but the second is probably better for the truly paranoid.
来源:https://stackoverflow.com/questions/4339749/workaround-for-cfide-not-web-accessible-for-ajax-and-flash-built-ins