Preventing FW/1 From Reinitialising an App via the URL

One of the things that FW/1 allows you to do is configure a reload “key” and “password” which you can use to reinit your application via URL.

So inside your Application.cfc you might have:

1
2
3
4
5
variables.framework = {
  reload = 'reinit',
  password = "mysecretkey"
}

So you can reinit your application (flush the application scope by re-running onApplicationStart()) by calling something like:

1
http://www.example.com/?reinit=mysecretkey

The “reload” and “password” properties can be changed to whatever you want for securities sake.

We wanted a little extra security, that being the option to never allow an application to be reinitialised via a URL. Typically we want this in a production environment only. What you lose in flexibility, being able to reinit the application quickly and easily after a release/deployment, you (arguably) gain in security. Perhaps this is being a little over-cautious, but we like to be better safe than sorry, especially when reducing possible DOS vectors. Also it makes life easier when dealing with system administrators and/or security audits :)

To achieve this we simply added a new property to the variables.framework structure inside Application.cfc, called “disableReloadApplication”, which accepts true|false. If true, then even if you know the “reload” and “password” values…the application cannot be reinitialised via the URL. So the following would NOT reinit the app:

1
http://www.example.com/?reinit=mysecretkey

A few extra lines were needed inside framework.cfc to make this happen:

setupFrameworkDefaults()

1
2
3
4
5
if ( !structKeyExists(variables.framework, 'disableReloadApplication') ) {
  variables.framework.disableReloadApplication = false;
}

and isFrameworkReloadRequest()

1
2
3
4
5
return ( !variables.framework.disableReloadApplication &&
  ((isDefined( 'URL' ) &&
  structKeyExists( URL, variables.framework.reload ) &&
  URL[ variables.framework.reload ] == variables.framework.password ) ||
  variables.framework.reloadApplicationOnEveryRequest));

Although we could have extended framework.cfc with our own file (and just defined these 2 methods), we just altered the original framework.cfc as we store a local copy in source control that all our projects can draw from.

Here is the fork of FW/1 (really just a change to framework.cfc), version 2.0.1.

Comments