Just a quick one. There's been some feedback from Adobe regarding this web sockets security issue. As a comment against that article, Awdhesh says:
We are working on it and the fix will be available in next updater for CF10.
So that's something. Although I'd prefer a more comprehensive answer from them, if I'm to be honest. I'd also like to know how this thing keeps happening now that they have a supposed "security czar". Perhaps after ColdFusion's reputation / behaviour in that area this year, Shilpi's been relieved of that role? Or perhaps - I suspect - it's just a lip service thing anyhow, so it really doesn't matter what Shilpi might have to say on the security or lack-thereof in ColdFusion.
Anyway: ante-up Adobe... what's the planned fix here?
I've raised four bugs, but unfortunately I cannot share the details with you because I raised them as "security issue", so I don't get given the bug number. The gist of them were as follows:
- web sockets allow requests to public methods;
- web sockets requests do not fire Application.cfc event handlers;
- web sockets requests can request files outside the web root;
- web sockets ignore CFC roles.
Still: they're on the case. This is good news!
--
Adam
