Showing posts with label ColdFusion 9. Show all posts
Showing posts with label ColdFusion 9. Show all posts

Tuesday 14 October 2014

ColdFusion: new security patches for 9.0, 9.0.1, 9.0.2, 10.x, 11.x

Patches just came out for all versions of ColdFusion from 9.0 upwards. Details in their security document: "ColdFusion Help / ColdFusion Security hot fix APSB14-23".

I've not checked the content of it, but I will say that if at this late stage of ColdFusion 9's like (it's EOL on Dec 31 this year) they're releasing individual patches for all of 9.0, 9.0.1, 9.0.2, then I am guessing it's fairly serious. So get your test machines updated as soon as possible and regression-test your apps, then look to move it to live as soon as it seems stable.

And in the mean time, we're still waiting for a more useful bug-patch for both CF10 and CF11. Wonder when to expect thosethat? They'reIt's been promised as coming out "soon" since about August, I think..?

I've just notice that the ColdFusion 10 one is actually a fairly substantial patch, fixing 60-odd issues! So that's quite good. Details in "ColdFusion Help / Bugs fixed in ColdFusion 10 Update 14".

Anyway, there you go.


Monday 30 June 2014

A quick primer: porting CFCs from tag-based to script-based

I'm assisting someone from porting their (ColdFusion 9) CFC code from tag-based to CFScript based, and part of this is to knock together some examples of analogous CFCs in both formats. I know some people struggle to get their brains around CFScript, so thought perhaps it might be slightly worthwhile to post the notes here too. This is just a first pass, and if other requirements come up or examples needed, I'll post 'em too.

Wednesday 19 March 2014

ColdFusion 11: bug triage (and fixing?) seems to have stalled

Ages back I wrote an article "212 untriaged ColdFusion 10 bugs", and indicated my horror at how many bugs in the current version of ColdFusion that Adobe had seen fit to simply ignore. I don't mean "not fix", I meant "just completely ignore; ie: not even acknowledge the bug had been raised".

I followed this up a coupla months later with "Bug watch: 212206 untriaged ColdFusion 10 bugs"; in that two months they had managed to triage a net of six tickets that had been raised.

Just a week later we were down to 165 untriaged bugs: "Good work Adobe ColdFusion Team!", and they had made good progress from there, getting it well below 100 untriaged bugs, and got it down to a low of 40 on Jan 22 this year. Again: good work!

Wednesday 12 February 2014

ColdFusion 9 on Windows 8

I'm about to pop down to NZ for a coupla weeks to see me folks and make sure they're all still in working order and the like. And drink beer with my NZ-based mates. As part of this, I've retired my old Netbook, and have bought myself a new cheapish laptop (or an "ultrabook" as apparently they are being fashioned, these days) as its replacement. The reason I had the netbook is that the battery life was excellent, which was very handy on long-haul flights, plus it was a handy size for using on aircraft and when lurking in airport terminals. Which I do frequently enough for that to be a consideration. Anyway, this new thing has Windows 8 on it, and I spent Fri eveing and Saturday morning setting it up. Which went fine until I needed to install ColdFusion 9.

Tuesday 31 December 2013

(1/4): it's not all about ColdFusion 10 bugs. CF 9.x has outstanding bugs too...

First the "1/4" thing. Matt Bourke has just challenged me to release another four blog articles today. Let's see if I can do it. I make no apologies for the quality (or length) of the writing today. I'm not in the pub for one thing ;-)

This one is really short, but was underway before Matt challenged me.

Thursday 24 October 2013

So there won't be support for OSX 10.9 "Mavericks" on ColdFusion 10

There's been a huge flurry of activity on the ColdFusion Bug tracker around ticket 3653076, entitled "Bad apache / tomcat connector for Mac OSX Mavericks 10.9". It was raised two days ago and has 20 votes already, and 13 comments.

And Richard Herbert has just done the decent thing and reminded us all that Adobe have already officially responded to this...

Wednesday 23 October 2013

Documentation for older versions of ColdFusion

Gavin was asking about docs for older versions of ColdFusion today. In my searchings, I've located the docs for a number of older versions of ColdFusion. I'm gonna list 'em here so they're easier to find.
  • Cold Fusion 2.0 online documentation, courtesy of GES technologies (update 2015-05-07: link is now dead)
  • Cold Fusion 3 online documentation, courtesy of House of Fusion (update 2016-06-30: link is now dead)
  • ColdFusion 4.5 online documentation, also courtesy of House of Fusion (update 2016-06-30: link is now dead)
  • ColdFusion 4.5.2 offline downloadable documentation, courtesy of Adobe (these are zip files)
  • ColdFusion 5.0 offline downloadable documentation (Adobe, zip files)
  • CFMX 6.1 offline downloadable documentation (Adobe, zip files)
  • CFMX 7 offline downloadable documentation (Adobe, zips)
  • ColdFusion 8 online documentation (Adobe livedocs)
  • ColdFusion 9 online documentation (
  • ColdFusion 10 online documentation (the current rendition of Adobe online docs: I wish they'd just stick with the same bloody domain name / online docs structure!!). That site is now dead. But the docs are here: ColdFusion Documentation Archive.
  • ColdFusion 11: same page as above, but that's a direct link.
Hopefully that's helpful to someone.



    Tuesday 24 September 2013

    Things I dislike: jobsworths


    For non-UK-English-speakers, from Wikipedia:
    A jobsworth is a person who uses their job description in a deliberately uncooperative way, or who seemingly delights in acting in an obstructive or unhelpful manner.

    I started to have a quick look at ColdFusion 10's new ESAPI functions this morning...  I'd give you a link for those, but they don't seem to be categorised in the docs (and I can't annotate the docs accordingly, cos the site is still broken since it was "upgraded" to use the new wiki)... and quickly got deviated onto the bug tracker.

    Tuesday 9 July 2013

    Well done Adobe ColdFusion Team

    Hopefully you've heard there's a patch out for ColdFusion 10 (now version 10.0.11) for the web sockets security hole that Henry Ho noticed a week or so ago. I did some investigation on the issue, and identified four separate problems with the web sockets implementation on un-patched (10.0.10 and below) ColdFusion 10 installations.

    The good news is that two of those four issues are fixed, and they are the two significant ones:
    • public CFC methods were callable via web sockets. Only remote methods ought to be externally accessible;
    • non-web-accessible CFCs were accessible via web socket requests, provided there was a ColdFusion mapping to them.
    I've verified those are now fixed.

    Friday 24 May 2013

    Gotchas when upgrading ColdFusion 9 to run on Java 7?

    Just a quick one... have you upgraded you ColdFusion servers to run on Java 7? If so, did you encounter any problems / issues / unexpected behaviour?

    I'm gonna be involved in an upgrade of a largish 9.0.1 installation from Java 6 to Java 7, and want to gather info about what to possibly expect.

    It'd be really cool if you could let me know about your experiences, and it'd be even better if you could circulate the Twitter message I'll be sending to notify people of this article, so I can gather as much input as possible.



    Tuesday 2 April 2013

    ColdFusion bugs I'd like to see dealt with: param (first in what will be a series)

    With the upcoming ColdFusion 11 pre-release, I'm going to start banging about some ColdFusion bugs that piss me off. I'll mention them as I encounter them in my day-to-day work.

    First up: param. There's a bug with param detailed in bug 3364510. Basically it's not been completed.

    Thursday 17 January 2013

    Wednesday 9 January 2013

    Setting a CFAdmin password

    I despair. I was going to sit down tonight and be all pseudo-intellectual and watch Au Revoir les Enfants (which I have somehow managed to not yet see) on DVD, and otherwise ignore my computer. And ignore ColdFusion.  But here I am.

    I had a Twitter exchange with Russ Michaels and Brad Wood about this current slew of security holes in ColdFusion (there are not one but three, apparently), and I mentioned that I couldn't be arsed looking into it to see what the actual issue was. But just like playing The Game, once the topic came up, it intrigued me more and more, so I decided whilst dinner was cooking "ah, it won't take long to find it, I'll have a look". So off I went.

    Saturday 3 November 2012

    CFML: Application.cfc-set mappings don't work in onApplicationEnd

    Well this was not what I was intending to be looking at this evening, but I made the mistake of  looking at StackOverflow and didn't understand what I was reading about mappings and onSessionEnd and ColdFusion 8, so looked into it.

    I don't really care about quirks of CF8: the boat's pretty much sailed on any problems anyone finds with that.  However I wanted to make sure it wasn't still happening in CF9 or CF10.

    The original problem is that ColdFusion mappings that are set in Application.cfc don't seem to exist by the time onSessionEnd() runs (this is on ColdFusion 8).  Here's some test code and the results:

    <cfcomponent output="true">
        <cfset = "testMappings">
        <cfset this.sessionManagement = true>
        <cfset this.applicationTimeout    = createTimespan(0,0,0,20)>
        <cfset this.sessionTimeout        = createTimespan(0,0,0,10)>
        <cfset this.mappings = structNew()>
        <cfset this.mappings["/test"] = "C:\temp">
        <cfset testExpandPath("Pseudoconstructor")>
        <cffunction name="onApplicationStart" returnType="boolean" output="true">
            <cfset testExpandPath("onApplicationStart")>
            <cfreturn true>
        <cffunction name="onApplicationEnd" returnType="void" output="true">
            <cfargument name="applicationScope" required="true">
            <cfset testExpandPath("onApplicationEnd")>
        <cffunction name="onRequestStart" returnType="boolean" output="true">
            <cfargument name="thePage" type="string" required="true">
            <cfset testExpandPath("onRequestStart")>
            <cfreturn true>
        <cffunction name="onRequest" returnType="void">
            <cfargument name="thePage" type="string" required="true">
            <cfset testExpandPath("onRequest")>
            <cfinclude template="#arguments.thePage#">
        <cffunction name="onRequestEnd" returnType="void" output="true">
            <cfargument name="thePage" type="string" required="true">
            <cfset testExpandPath("onRequestEnd")>
        <cffunction name="onSessionStart" returnType="void" output="true">
            <cfset testExpandPath("onSessionStart")>
        <cffunction name="onSessionEnd" returnType="void" output="true">
            <cfargument name="sessionScope" type="struct" required="true">
            <cfargument name="appScope" type="struct" required="false">
            <cfset testExpandPath("onSessionEnd")>
        <cffunction name="testExpandPath" returntype="void" access="public" output="true">
            <cfargument name="message" required="true" type="string">
            <cfset var path  = expandPath("/test")>
            <cfset var fullMessage = "#message#: #path#">
            <cfoutput>#fullMessage#<br /></cfoutput>
            <cflog file="testMappings" text="#fullMessage#">

    Pseudoconstructor: C:\apps\adobe\ColdFusion\8\instances\CF801\cfusion.ear\cfusion.war\test
    onApplicationStart: C:\temp
    onSessionStart: C:\temp
    onRequestStart: C:\temp
    onRequest: C:\temp
    test.cfm: C:\temp
    onRequestEnd: C:\temp
    onSessionEnd: C:\apps\adobe\ColdFusion\8\instances\CF801\cfusion.ear\cfusion.war\test
    onApplicationEnd: C:\apps\adobe\ColdFusion\8\instances\CF801\cfusion.ear\cfusion.war\test
    Firstly, it's completely legit that the mapping doesn't work in the pseudoconstructor.  See my article on how the settings set in the this scope work if you're not sure why.

    However to me it's a bug that they aren't still around in onSessionEnd() and onApplicationEnd().  Someone at Adobe clearly thinks so too, as the behaviour has been modified (partially) in CF9:

    Pseudoconstructor: C:\webroots\CF902\test
    onApplicationStart: C:\temp
    onSessionStart: C:\temp
    onRequestStart: C:\temp
    onRequest: C:\temp
    test.cfm: C:\temp
    onRequestEnd: C:\temp
    onSessionEnd: C:\temp
    onApplicationEnd: C:\webroots\CF902\test
    onSessionEnd() has been fixed, but not onApplicationEnd().  You'd think that if someone took the time to fix one of these, they might check the other one too eh?  Apparently not.

    It's the same behaviour in ColdFusion 10.  But Railo (4.0.013) works fine: the mapping is still available in onApplicationEnd().

    I've raised a bug for this: 3358817.

    The work around - such as it is - for this is to set the mappings in CFAdmin: then they work fine.  Not much of a work around, but it might help some people.