Adobe ColdFusion 8

Configuring a sandbox

Before you begin security sandbox configuration, analyze your application and its usage to determine the tags, functions, and resources that it requires. You can then configure the sandbox to enable access to the required resources and disable use of the appropriate tags and functions. For example, if the applications in the sandbox do not use the cfregistry tag, you can safely disable it.

Note: In the Standard Edition, the Root Security Context is the only sandbox. There is no initial list of defined directory permissions.

Configure a sandbox

  1. Open the Security > Sandbox Security page (Security > Resource Security page in the Standard Edition) in the ColdFusion Administrator.
  2. (Enterprise Edition only) In the list of Defined Directory Permissions, click the name or Edit icon for the directory.

    A page with several tabs appears. This is the initial page in the Standard Edition. The remaining steps describe the use of each tab.

  3. To disable a data source, in the left column of the Datasources tab, highlight the data source, and click the right arrow.

    By default, ColdFusion pages in this sandbox can access all data sources.

    Note: If <<ALL DATASOURCES>> is in the Enabled Datasources column, any data source that you add is enabled. If you move <<ALL DATASOURCES>> to the Disabled Datasources column, any new data source is disabled.

  4. Click the CFTags tab.
  5. To disable tags, in the left column of the CFTags tab, highlight the tags, and click the right arrow.

    By default, ColdFusion pages in this sandbox can access all listed tags.

  6. Click the CFFunctions tab.
  7. To disable functions, in the left column of the CFFunctions tab, highlight the functions, and click the right arrow.

    By default, ColdFusion pages in this sandbox can access all listed functions.

  8. Click the Files/Dirs tab.
  9. To enable files or directories, in the File Path box, enter or browse to the files or directories; for example, C:\pix. A file path that consists of the special token <<ALL FILES>> matches any file. For information on using the backslash-hyphen (\-) and backslash-asterisk (\*) wildcard characters, see About directories and permissions.
  10. Select the permissions.

    For example, select the Read check box to let ColdFusion pages in the mytestapps sandbox read files in the C:\pix directory.

  11. Click Add Files/Paths. When you edit an existing sandbox, this button reads Edit Files/Paths.

    The file path and its permissions appear in the Secured Files and Directories list.

  12. In the Secured Files and Directories list, verify that the file path is correct.

    The character after the backslash is important. For information, see About directories and permissions.

    Note: The Files/Dirs tab works together with the file-based permissions of the operating system. To restrict a user from browsing another user's directory, you must use file-based permissions.

  13. Click the Server/Ports tab.
  14. To turn off default behavior (global access to all servers and ports), enter the IP addresses and port numbers that pages in this sandbox can connect to by using tags that access external resources (for example, cfmail, cfpop, cfldap, cfhttp, and so on). You can specify an IP address, a server name (such as www.someservername.com), or a domain name (such as someservername.com). You can optionally specify a port restriction.

    Note: This behavior differs from other tabs, such as CFTags, where you select items to disable. If you set any values in this tab, external-resource tags executed in this sandbox can access only the specified servers and ports.

    For example, to allow this sandbox access to 207.88.220.3 on ports 80 and lower, perform the following steps:

    1. In the IP Address field, enter 207.88.220.3.
    2. In the Port field, enter 80, and click This Port and Lower.

    Note: To deny access by these ColdFusion tags to an entire site, enable access for a local resource, such as your local mail server, FTP server, and so on.

  15. Click Finish to save changes to the sandbox.