Saturday 13 April 2013

Request related functionality should not be used with CFThread. Or so we're told

Hopefully you know by now a new security fix has been released for ColdFusion version's  9 and 10.

There's a note on the Adobe ColdFusion Blog about it, and lots of other people have announced the same too.

For what it's worth, I've installed it on my CF10 and 9.0.2 instances and it installed fine.

Anyway, there was a curious statement at the end of the blog article I link to above:
Note: It is recommended that, request related functionality is not used with CFThread. 

Err... okey doke. This make me raise my eyebrow, wondering "fair enough, but why are you telling us this as a footnote to an otherwise seemingly unrelated blog article?" It'd be like me writing something on regular expressions (which I still have some stuff to look at, that reminds me), and closing off with a comment about web services. It's a bit of an odd segue.

So I asked for clarification, and got this from Rupesh:
I completely agree that the post should have been more clear about "request related functionality" and I would try to do that here.

As you know, CFThread allows you to spawn a new thread do some processing in parallel with the request. This thread can continue to run even after the request has completed. Since this thread is not connected to the HTTP request that spawned it, any operation done from the thread which tries to change something in the HTTP request/response - like setting header, cookie, response code etc would not make sense and should not be done.

So one should not use cfcookie, cfheader, cfcontent etc inside cfthread as it can cause unpredictable behavior.
OK, good, a bit of clarification. But... why are they telling us this in a blog article primarily discussing a security fix? Or, more to the point, what are they not telling us about this?

If it's just a random coding tip: fair enough. Weird but fair enough.

If there's some security issue that they're skirting around, this is seemingly a bit flippant/negligent of them to just vaguely mention it in passing.

I've asked for further clarification, but none has been forthcoming yet.

If I was you, I'd do what they say re <cfthread> and HTTP stuff. But wouldn't it be nice to know why they have suddenly told us this?

If it's just a coding tip, it's the realm of "OK, duly noted". But I'm not exactly going to go back through my app making sure I'm not doing any of this. However if there's an actual problem here: I want to know so I can make an informed decision on how to react to it.

Anyway... none of this is helping me getting PHP downloaded and installed...