Security of files

Just wanted to ask what is the best process to ensure files are secure and can’t be downloaded within FarCry 7.

We’ve determined that if you know an actual file name, you can access files despite the fact they’re living within the projects securefiles directory.

Is this the case with everyone or am I missing something? Are my rewrite rules wrong (I’ve pasted them in below)?

RewriteCond %{REQUEST_URI} !(^/farcry|^/webtop|^/flex2gateway|^/flashservices|^/CFIDE)($|/)
RewriteRule ^([a-zA-Z0-9\/\-\%:\[\]\{\}\|\;\<\>\?\,\*\!\@\#\$\ \(\)\^_`~]*)$ /index.cfm?furl=$1 [L,PT,QSA]

In FarCry 7 we’ve introduced CDN configuration, which lets you change where files are stored. For example you can put something like this in _serverSpecificVarsAfterInit.cfm:

<cfset setLocation(name="privatefiles",cdn="local",fullpath="/some/path/outside/webroot") />

and FarCry will store and serve secure files from there.

In previous versions of FarCry (or if you don’t want to move the files), you need to enforce the security in the web server by blocking direct access to /farcry/projects/yourproject/securefiles


1 Like

Forgot to mention:

The “best practice” setup for FarCry is:

  • web server serves files from /farcry/projects/yourproject/www
  • Raio/ColdFusion mapping to /farcry
  • web server alias for /webtop -> /farcry/core/webtop

With this setup, nothing outside the www directory is accessible externally.


1 Like

Awesome, thanks blair. We’ll proceed with this.

Hey Blair,

Okay, we seemingly have this working. We’ve added this to the _serverSpecificVarsAfterInit.cfm:

 <cfset application.fc.lib.cdn.setLocation(name="privatefiles", cdn="local", fullpath="/vagrant/secure-files") />

Then we we do:

 <cfset application.fc.lib.cdn.getLocation(name="privatefiles") />

We get the correct path back. So then I went ahead and dumped out application.path and noted the securefiles key value didn’t match.

Could you explain the relationship between ‘privatefiles’ and ‘securefiles’?

Thank you!

The media paths in application.path are deprecated - I should probably remove them from core. As of 7 FarCry refers to every uploaded file in terms of “locations”.

Files uploaded with the file formtool are stored in the “privatefiles” and “publicfiles” locations, depending on whether the property has ftSecure="true" or not, image formtools put files in the “images” location, etc. Every file operation (should) be going through the application.fc.lib.cdn API. That goes for everything from checking if a file exists (ioFileExists) to getting a URL for serving a file (ioGetFileLocation).

If you need to do any file management in your own code, I recommend you also use that API. You’ll thank me if you ever have to move your media to S3 or a FTP CDN server.


Sounds good.

Should I raise a bug for deleting those paths from core? It would be great to see them removed if they’re not longer relevant.

Please raise a ticket, thanks.