my eyes are bleeding
Using command line executables to help leverage ColdFusion’s incredible power!
By: Ivan Spaeth
Ever wanted to do something a little more than what ColdFusion was capable of doing? Kind of a broad question right? What about scan files for viruses? Spell check form fields? Create websites in IIS? Apache? You can pretty much do whatever you want “in" ColdFusion!!!! Well that is not exactly true, but you can use ColdFusion to get your OS (operating system) to do whatever you want. Depending on your service provider you may or may not have permission to use the following tags. Please contact your hosting provider for details.
Say hello to your best friend: <cfexecute>.
(Please note: Remember that running commands on your command line or shell can be very powerful, but it can also be very dangerous! Please use EXTREME caution when running commands on your system).
Its use is fairly simple. It runs a command on your shell (linux term) or command line (windows term). I’ll give examples on both a Windows box and a Linux box.
Windows Example: Imagine for a moment you have an application that allows users to upload pictures to a photo gallery. Why not scan the pictures for viruses using Norton Antivirus at the time of upload? Sounds like a cool idea…… I’ll show you how.
(This tutorial uses a utility called Vpscan.exe provided by Norton Antivirus. Here is the info on this utility: http://service1.symantec.com/SUPPORT/ent-security.nsf/9d94c8571a91ba4788256bf3007f62b5/7fce382ff2eacc1288256c4d0050c605?OpenDocument&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&src=ent&pcode=sav_ce&dtype=corp&svy=&prev=&miniver=sav_8_ce)
(I’ll let you create the form to upload the document this is just the form’s action page. Make sure the file input is named “file")
Upload file to the server….. I am placing this file in a temp directory before it is moved to its final directory.
<!--- Upload the file --->
<cffile action="upload" fileField="file" destination="c:\temp\" nameConflict="makeUnique">
<!--- Scan the file using the command line utility. --->
<cfexecute name="[enter the directory to your utility here]\vpscan.exe"
Move the file to its final destination.
I use a cftry here in case the file has a virus. If so the file is deleted above and will throw an error to the cffile operation. --->
<cffile action="move" source="c:\temp\#cffile.serverFile#" destination="c:\finaldestination\#cffile.serverFile#">
The file contained a virus and was not uploaded!
You can do a lot more with the above example. Such as write the date the file was scanned to a database, quarantine items using extra commands on the command line, etc. Hopefully you will get the idea.
Linux/Unix Example: There are about a million little commands on the Linux/Unix OS you can use to leverage in your web apps. One of my favorite things to do is spell check form fields. I see some custom tags out on the web that run for hundreds of dollars! This can be accomplished very easily on the Linux shell.
We are going to check the form field form.text for misspelled words. This snippet assumes that this form field has been supplied.
Strip out all the quotations from the form field.
<cfset form.text=replaceNoCase(form.text, chr(34), "","ALL")>
Run the command line to spell check the form field. I will also lock the session since I am naming a temporary file the session CFID.
<cflock scope="session" type="exclusive" timoue="30">
<cfexecute name="echo #chr(34)##form.text##chr(34)# | spell" timoue="30" outputFile="/tmp/#CFID#">
Read the file created by the command and display it to the user.
<cffile action="read" file="/tmp/#CFID#" variable="#words#">
There are about a million different commands on a Linux/Unix system that you can run that will give you even more power! In fact you could probably build an entire server management utility like webmin or something for both Windows and Linux/Unix.
The true power comes from the ability to make batch files (Windows) or shell scripts (Linux) and use these “programs" to run more “programs" and whatnot. There is really nothing you cannot do on the command line. It all depends on your imagination! Check out some of these great links on command line or shell.
my eyes are bleeding
Unfortunately cfexecute will be and should be disabled by every single host that supports coldfusion. If your host does have cfexecute enabled and your on a shared server, I suggest you find a new host as their server is totally insecure. As the above code shows you, you can do anything on a server with cfexecute, so can every other customer on the server, including deleting/hacking/editing/copying your website or or files, or simply hacking the entire server.