Wednesday, 19 February 2014

ColdFusion 11: preventing files from being included? WTF, Adobe?

G'day:
This is a follow-on from my earlier article "ColdFusion 11: first bug. Bad bug.". I'm writing it up separately here as it's a slightly different issue, worth discussion.

That previous issue cropped up because I was trying to run my TestBox regression tests on ColdFusion 11, and somewhere under the hood TestBox includes (via <cfinclude>) some JS and CSS files. This is not an uncommon practice (more common with JS than CSS, that said), and a handy way of writing out JS at request time. This is necessary sometimes to "pass" server-homed data to JS code, before running the rest of the JS out of .js files, executed on the browser via script tags.

I also know of one application that uses this to good effect generating dynamic .doc files, wherein the doc template is saved in XML format, and by including the file, runtime CFML expressions are processed into the resulting .doc file. This is really pretty cool.

Adobe in their infinitesimal wisdom have decided to prevent this functionality by default. Yeah, now out of the box ColdFusion 11 will only allow the inclusion of CFML and HTML files. Why? They cite "for security reasons". Here's a quote (posted in the bugtracker, originally from the pre-release forums):

"Vamseekrishna Manneboina: Yes, this was done as part of a security measure. You can now only include CFM/CFML files by default. You can specify additional extensions via a property called allowedextforinclude in neo-runtime.xml. By default, HTM and HTML file extensions are already added to this list/property, thereby allowing for inclusion of HTM and HTML files too by default."
(Note: this was changed to compileextforinclude, by the time ColdFusion 11 was actually released).

Not to put too fine a point on it, but... Vamsee... what the hell are you on about? What security measure? What security are you protecting against here? What's the use case?

Because... to my mind and the mind of various other people who have looked at this today... <cfinclude> is in the codebase. So - intrinsically - the only people able to implement these nefarious <cfinclude> calls are... the application developers themselves! Where's the security risk there? Maybe Adobe don't trust their developers (and I can increasingly understand why, but that's a different story), but I think trusting yer devs is pretty much a core principle of running a dev shop.

This "feature" - as far as I can tell - serves absolutely no bloody purpose whatsoever. To me it's a symptom of the Adobe ColdFusion team being so dreadfully out of touch with the CFML community that they think... um... actually I'm fucked if I know what the thinking was here. It's just stupid. It also concerns me that this comes under the "security" banner, as it just makes me think even more than the Adobe ColdFusion team really just don't "get" security.

I had a look at disabling this feature so that I could just write the code the way I bloody want to, but unfortunately that setting will take neither a wildcard like *, nor an empty value (which I hoped might be interpreted as "actually don't bother"). So all one can do is to list all the file extensions one might want to include, ahead of time.

This feature achieves nothing except being obstructive. I could live with it if it was disabled by default, or if I could completely disable it after the fact (ie: by telling it to allow anything). But it really was a poor use of Adobe's time when they could be fixing bugs.

I'd love if Adobe could sanction reproduction of any discussion that took place on the pre-release forums about this. Because I really wonder how it got out the door if the PR participants knew about it.

I'm raising another bug to get the thing changed to be able to be completely disabled: 3710326. And also so it's managable / disable-able (!) in the CFAdmin UI.

--
Adam