Sunday, 30 August 2015

ColdFusion: exactly what you are installing when you install this recent security "hot fix"

Adobe recently released a security fix for a security issue in ColdFusion's Flash Remoting services. It impacts all versions of ColdFusion which ship with Flash Remoting (that's at least ColdFusion 9 through ColdFusion 11, but possibly older versions too). Only CF10 and CF11 have been patched, although Piyush claims to have instructions for patching CF9 although is not being helpful about sharing this info with the ColdFusion community for some reason.

This morning I read an article from ZDNet ("Adobe issues hotfix patch for ColdFusion vulnerability") wherein Adobe appear to have claimed that this fix is a "A hotfix, otherwise known as a Quick Fix Engineering update (QFE update), is a lightweight software patch". This is somewhat of a misrepresentation of reality on the part of either Adobe or ZDNet. I suspect ZDNet are just reporting what Adobe told them.

The "patch" that was released was rolled into all other previous fixes released for ColdFusion, and one does not have the option to simply apply the one-off security fix; one also needs to apply every single other fix Adobe have ever released for the product.

This represents quite a heavy regression-testing burden for anyone thinking of applying the patch. It is not just a matter of installing one small patch and then regression testing a small subset of potential touchpoints in one's CFML application; it means a complete regression testing of everything Adobe have "fixed" in previous patches. And given the ColdFusion Team have a habit of introducing new bugs with these monolithic updates they give us, this is not something that ought to be taken lightly.

To put things in perspective, here is a list of all the fixes shipped with this "quick fix engineering update", for ColdFusion 11:

Thursday, 27 August 2015

ColdFusion: another security hole has been patched (CF10 and CF11)

Just so yer aware, another update for ColdFusion was released this afternoon (UK time). Apparently there's a security hole in ColdFusion's BlazeDS integration which has been fixed. I don't actually know what CF uses BlazeDS for, I have to admit. I don't even know what BlazeDS even is, now that I come to think of it. [quickly googles...]

BlazeDS is a server-based Java remoting and web messaging technology that allows you to connect to back-end distributed data and push data to Adobe Flex and Adobe Integrated Runtime (AIR) Rich Internet applications (RIA).

So no wonder I didn't know what it was.

Anyway, Anit said on the Slack channel that it will on affect you if yer using BlazeDS, so that's probably not most people.


Seems I've misinterpreted what Anit said, or something, as Rupesh - who is now on the CFML Slack Channel too - has just clarified with this:

Regarding the blazeds 0-day vulnerability that we patched a day back, It seems like there is an impression that the server is not impacted if you are not using blazeds. Your server is not impacted *only* if you have disabled flash remoting. By default it is enabled and hence your server is impacted.

Please make sure to apply this update

The Adobe blog article about it is here: "ColdFusion 11 Update 6 and ColdFusion 10 Update 17 now available". Make sure to subscribe to the comments on that thread to keep yourself up to date with anything "untoward" in the update process. I've not installed it myself yet. Obviously make sure to test the update in your test lab first. Don't just stick it straight on your live boxes. Also bear in mind that CF updates are cumulative, so as well as this particular fix, it'll include all the other bugfixes too, so there's a lot of moving parts that could cause you grief. Regression test thoroughly.

I guess if you're using CF9 or older you're SooL, I'm afraid.

Update re ColdFusion 9:

Piyush has indicated Adobe do have instructions as to how to patch ColdFusion 9 servers, but instead of just posting them like a responsible vendor would do, one has to email him to get them. Groan. However Dave Epler has documented his steps to patch CF9 on his blog: "Manually Patching ColdFusion 9 with APSB15-21 (CVE-2015-3269)". Dave knows what he's doing, so you'll be safe in his hands. Safer than in Adobe's, it would seem.

That's it.


CFML: how should int() behave?

One of the scintillating conversations on the CFML Slack channel today was regarding people's expectations of CFML's int() function. Ross had this expression:

int(35 - (1013 / (13+1)))

And he quite legitimately expected the result to be -37 (the float value before converting to an int is -37.357142857143). However because CFML is daft (IMO), its integer conversion follows this rule:
Calculates the closest integer that is smaller than number.
Which means the result of the expression is -38.

What it should do is simply return the integer part of the number. It's not a rounding function, it's a conversion function.

I thought there might be a precedent in other languages, but here's some code samples:

public class TestInt {

    public static int toInt(Double f){
        return f.intValue();

Returns 37 when passed -37.357142857143.

irb(main):004:0> -37.357142857143.to_i
=> -37


groovy:000> (int) -37.357142857143
===> -37

>>> int(-37.357142857143)

user=> (int -37.357142857143)

Oops! Almost forgot PHP (I actually did forget... this is being added during a re-edit)
$f = -37.357142857143;
$i = (int) $f;
echo $i;

You get the idea.

So... it's a bit late in the game to fix int() in CFML, but John Whish has raised a ticket for ColdFusion: "Deprecate `int` in favour of `floor`" (4044533). This makes good sense to me. CFML already has a ceiling() function, so it makes sense to also have floor(). Now one can use fix() in CFML to get the right result, but that's not as logical as a floor() function, IMO.

Is there any precedent in any other language for an int() operation to actually do rounding instead?


Wednesday, 26 August 2015

CFML: ways to help or be helped with ColdFusion and Lucee

This article has been inspired by "reports of the death of the House of Fusion CFML forums are not greatly exaggerated". I dunno of anyone has been able to reach whoever represented the human manifestation of HoF, or just the continued radio-silence has been inferred as demise.

Russ from CFMLDeveloper has started a new Google Group to fill the void left by HoF disappearing:

And, indeed here they are @!forum/cfmldeveloper:

Dom Watson also quickly reminded people that there's the #CFML Slack channel too:

If I was being uncharitable, I'd observe that Dom's choice of words there might sound a bit dismissive of Russ's efforts, for some reason. But I'd never be uncharitable.

Sunday, 23 August 2015

JavaScript: running Jasmine unit tests from the CLI

I can't see as this will be very long as I've not much to say about it, and it was surprisingly quick to sort out once I bothered to do so.

My weekend mission was going to be to start getting up to speed with Clojure, by reading & working through the relevant chapters from Seven Languages in Seven Weeks, but whilst that kept me occupied on my flight from London to Shannon, I didn't really revisit it after that, as I got sidetracked on these Jasmine tests. Well firstly I decided my mission would be to do a Clojure version of my "get a subseries" quiz ("Something for the weekend? A wee code quiz (in CFML, PHP, anything really...)"), and before doing that I wanted to get a working version of the code I discussed in "Some CFML code that doesn't work" working, chosing JavaScript as my control language. And in deciding to do that, I decided not to just copy and paste it into the browser console to test it, I decided to do it properly and do a file-system-based exercise running it via Node (note to Acker: I already use Node. Just sparingly because the need for it doesn't crop up for me that often. You don't actually have any special knowledge the rest of us also don't already have). And if I was gonna do that, then I was also gonna get Jasmine working via Node too, as we actually do have a real requirement for this at work. We have an ever increasing amount of ever increasingly complex JS in our application... and so far not a line of testing gets done on it. We're shifting our mindset to be writing more testable JS: reducing inline callbacks; putting a much of our code in "class" file, and writing small, clean, testable methods an the like all ready for testing... but getting the actual test infrastructure up and running is just not happening.

So, anyway... other than installing Clojure via Leiningen and runing "G'day World" via the REPL, my Clojure investigations didn't move much.

But  I got the JavaScript version of my CFML code running, and also got its tests running via the commandline too. So that's cool.

Thursday, 20 August 2015



There's always this:

I don't know quite what to make of that, but "thanks" to Nic from the CFML Slack channel, anyhow.


Killing a muppet

Firstly, if you feel so inclined, please take a refresher on my communications policy.

Secondly... I deeply dislike the concept of censorship, and this extends to moderation of the comments on this blog. The only comments I have blocked have been blatant exercises in spam advertising, other than that I have let every single comment through. Sometimes a comment might seem like spam so it gets blocked for a while by Disqus, but I have never - to my recollection - not approved any comment by a person whose intent was to comment on the article.

This changed this morning: I blacklisted my first respondent. This person was Acker Apple.

Acker is a bit of a plank (IMO), and seems to exist solely to bobble up and down like Beaker on The Muppets going "I like Node!" "Node is good!" "I used to use CF now I use Node!" "Node is Good!" "You're Bad, I'm Good!" "node node node node node", and other stuff which demonstrates the Dunning-Kruger effect is alive and well. Examples of this are here: "ColdFusion: Adobe updates their roadmap for ColdFusion. Forgets to give the language directions" and here: "What I'd like to see in ColdFusion 12 (redux, as is happens)".

There's nothing wrong with being a plank, and in very small doses it can be endearing. But when it ends up seeming like a mistake that the grown-ups let the children sit at the dinner table, a sensible and responsible grown-up will usher the children back out of the room so the adults can get on with it.

I was going to just tell Acker to shut up (I put it more directly than that), but having checked my comms over night I have had a couple of actual complaints about his conduct, and the very real fact he's toxifying the comments section on this blog with his continual nonsense, and it's discourgaing participation from more lucid & engaging participants.

To be very clear: the comments on this blog are very important to the content of the blog itself, and oftentimes the comments are more interesting that the article they're commenting on. I welcome all points of view, and especially ones that disagree with me as those are the ones I personally learn the most from. You can, in general, say whatever you like, in whatever tone you like (other than the usual societal / community nonos). I'm not blocking Acker because of his dissenting voice. I'm blocking him cos he's a bit of a cock.

So Acker has been ushered out of this particular room. I have blacklisted his email address (which is about all I can do on Disqus), and will monitor any further input from him by hand. If it is on-topic for any post he decides to reply to: I will consider approving it.

Equally, some other people need to learn to "not feed trolls" as the internet addage goes. This is even worse clutter than the original comments, IMO. I will take a very dim view of anyone adding to clutter in this vein, too. If someone is trolling: just leave them be. Don't become part of the problem.

Finally: apologies to my other readers who might have felt a bit put off by my lack of better/earlier handling of this.



* Image from here used without permission. If you are the copyright holder and would prefer I do not use this image, let me know and I'll take it down.