G'day:
Remember this one: "
ColdFusion 11: preventing files from being included? WTF, Adobe?". I can confirm this
verymoderatelyslightly contentious feature has been changed in ColdFusion 11, but the docs have not been updated to reflect the change.
(Note: this functionality was changed to
compileextforinclude
, by the time ColdFusion 11 was actually released).
The issue is summarised thus (from the article linked-to above):
[...]out of the box ColdFusion 11 will only allow the inclusion of CFML and HTML files. Why? They cite "for security reasons". Here's a quote (posted in the bugtracker, originally from the pre-release forums):
"Vamseekrishna Manneboina: Yes, this was done as part of a security measure. You can now only include CFM/CFML files by default. You can specify additional extensions via a property called allowedextforinclude in neo-runtime.xml. By default, HTM and HTML file extensions are already added to this list/property, thereby allowing for inclusion of HTM and HTML files too by default."
OK, I disagree there's merit in this, some others agree, others disagree. But... so be it. I actually thought - if I was in a charitable mood - that the people that were "for" this change made a
reasonable case for its inclusion, so - whilst not agreeing with them - I was content to just shrug and go "yeah, oh well".