I have just noticed something odd with ColdFusion 8 when you have security enabled in the enterprise edition.
CFinclude does not work by default and gives an access denied error. You *MUST* create a sandbox for every site in order for CFinclude to work.
The reason why this is so odd is because you cannot actually disable CFinclude even if you want to, as it is not included in the of enabled/disabled list of tags, it seems CF has just decided to disable it by default.
Now it turns out that CFinclude is also not sandboxable in CF6/7 either, but at least it worked by default without having to setup a sandbox.
I wonder why Macrodobe decided to exclude this tag? It is a security issue as it does provide filesystem access as it allows you to include a file from anywhere on the same drive as the template, or if using available mappings, anywhere on the entire server. Granted it is of limited use as you would also need cfcontent to easily make any file downloadable, but a clever developer could get around that.
Nov 14, 2007 at 7:00 AM Hi Russ,
Could you provide detailed information (like the configuration you are using, the Web Server etc) and also the steps to reproduce the issue, if possible. I tried turning on security and executing
a simple cfinclude test and it worked fine for me.
Thanks,
Vamsee
Adobe ColdFusion Team
Nov 14, 2007 at 12:12 PM Our setup is thus.
a default security sandbox is created for the folder where all web sites are stored, e.g.
d:\WWWROOT
This sandbox denies access all tags and functions that give any kind of file system access
For each web site a sandbox is then created on request to allow access to the restricted tags/functions
e.g.
d:\WWWROOT\domain.com\
Unless this is created cfinclude does not work.