<cfmodule> in CFScript: does this behaviour make any sense?

G'day:
I'm in the process of documenting all of CFScript. Well: how to effect all of CFML's functionality in CFScript, really.

Today I'm looking at how <cfmodule> is handled in CFScript. Railo and ColdFusion implement it differently (although Railo also implements ColdFusion's implementation for sideways compatibility).

And I am puzzled with the way ColdFusion handles it.

CFML: That <cfexit> bug I thought I had spotted: solved

G'day:
Yesterday I asked for some help understanding a mismatch between some code and some docs: "Are the docs for <cfexit> wrong, or am I misunderstanding?".

I just looked at this some more, and discovered the docs are right, Railo is right, and <cfexit> is right. However there's still a bug in ColdFusion...

Here's a refined repro case:

<!--- testusingCfimport.cfm --->
<cfimport taglib="." prefix="t">
<t:basic>
    Text within tags<br>
</t:basic>
<hr>

<t:basic exitMethod="exittag">
    Text within tags<br>
</t:basic>
<hr>

<t:basic exitMethod="exittemplate">
    Text within tags<br>
</t:basic>
<hr>

<!--- basic.cfm --->
<cfparam name="attributes.exitMethod" default="">
executionMode: <cfoutput>#thisTag.executionMode#</cfoutput><br>
<cfif thisTag.executionMode EQ "start">
    <cfif len(attributes.exitMethod)>
        exitMethod: <cfoutput>#attributes.exitMethod#</cfoutput><br>
        <cfexit method="#attributes.exitMethod#">
    <cfelse>
        exitMethod: not specified<br>
        <cfexit>
    </cfif>
</cfif>

Don't advertise yourself as a CFML website

G'day:
Do you know what the first thing I do when I see a website which uses .cfm file extensions is?

Different bugs in each() function in each of Railo and ColdFusion

G'day:
A quick one. I was investigating a bug in Railo, detailed in "Arguments - Struct or Array", and as well as verifying the bug in Railo, I found a different one in ColdFusion.

Query.cfc et al functions have file-reads and server-wide exclusive locks buried in their code

G'day:
Today's muse is Henry, with this Twitter status message:

#coldfusion sandbox security requires FileRead() because some code uses "new Query()" due to base.cfc. That's a pretty bad design, no?
— Henry Ho (@henrylearn2rock) July 14, 2014

ColdFusion: some built-in functions aren't actually functions. It seems.

G'day:
This caught me out the other day, but I've just now had a change to have a look at it some more. In ColdFusion (as distinct from Railo) some built-in CFML functions such as writeLog(), throw() and writeDump() aren't actually functions. Or aren't implemented properly if they are.

Adobe apparently cease development and/or support of UI tags in ColdFusion

G'day:
I didn't want to put a question mark on that for the traditional reasons. However it seems this might be true. At last.

Thanks to Henry Ho for putting this news in front of me:

#coldfusion stopped supporting UI tags. RT @udayogra: As decided we won't invest any time in Ajax UI components https://t.co/kWD7vIbddO
— Henry Ho (@henrylearn2rock) June 30, 2014

Super and mix-ins don't mix very well

G'day:
True to form for a "web log", here's a summary of the last six hours of my working life (Tues afternoon, Weds morning). The executive summary is "Oh FFS, ColdFusion".

Hanging on to outdated knowledge: don't

G'day:
This has taken me a few weeks to sort out - I started on it well before CF.Objective() - but I think I've finally stared at log files for long enough to come up with my conclusion.

I'm working with a client's codebase. A lot of it was written a) a long time ago when come CFML coding practices were not as fleshed-out as they are now; b) initially on CFMX7 (which, of course, comes with penalties of its own). Their ColdFusion install has moved on to version 9, but some of their coding practices still languish in mid-last-decade.  Part of this is decision-makers arriving at a conclusion as to how ColdFusion does things based on how it did things in ColdFusionMX, and never re-assessing their position to see if it still had merit. Their position was never re-assessed partly because no-one ever questioned it. It was just the way things were done. Times and personnel have changed, so now questions are being asked. I hasten to add I don't think is at all unusual that this is the case, and often approaches stay static until someone new shows up and starts questioning stuff. We've had this @ work in the past, and I've noted it ("Hungarian Notation").

You might remember a while ago I had a look at one of CFML's favourite tropes: evaluate() is bad not least of all because it's slow ('"evalulate() is really slow". Is it now?'): that trope ends up being mostly bullshit. So one can't just settle in and accept what once might have been true will thereafter always be true.

The trope I'm looking at here is that on CFMX7 performance penalties in creating transient objects were such that they weren't a viable coding construct. The only feasible way of using object instances were as singleton's created with ColdSpring during application start-up, and using those as services throughout the life of the application. Beans were an inviable notion, so they must not be used.

Object creation in older versions of CF certainly wasn't an efficient process, I agree with that.

Difference between Railo and ColdFusion regarding annotating CFCs

G'day:
Yeah, I'll write some stuff up about CF.Objective() shortly, but I need to plan that a bit more before I put pen to paper. This is a quick no-brainer (so playing to my strengths ;-).

ColdFusion REST services and restSetResponse() revisited

G'day:
Ages ago I wrote an article lamenting the way restSetResponse() has been implemented: "restSetResponse() requires the method to be returntype void. What?". At the time I was looking at how it was instrumental in how "ColdFusion takes something that should be easy and makes it hard" in the context of exception handling. That's slightly edge-case-y, I'll admit it.

But I think I've encountered a standard-operating-procedure situation today which demonstrates the implementation of restSetResponse() is not fit for purpose. Literally: it's not fit for the purpose it has been implemented for.

Today has been a frickin' frustrating day. I sat down to do another backbone.js tutorial ("Backbone.js Beginner Video Tutorial"), having finished "Anatomy of Backbone.js" and "Anatomy of Backbone.js Part 2" from CodeSchool yesterday. I started watching the video @ around 10am, and was inspecting the code on Github at 10:20am. At that point in time I figured I had better knock together the server-side code the tutorial will need: basically some RESTful web services for get-all, get, create, update and delete. Easy. I set out to implement this code using Railo, and had it all operational by 11:30am. At that juncture I started reading up on exactly what I should be returning for the less-obvious situations: the response for a GET is obvious: return the object(s) concerned. But what do I return for a POST? And a DELETE? So I started reading the HTTP spec ("Hypertext Transfer Protocol -- HTTP/1.1 - 9 Method Definitions"), which explained it all clearly.

One interesting thing I read on Stack Overflow which had me going "oh yeah! (duh)", was in answer to this question:

However I am wondering what should be the HTTP status code is the request sent by the client is valid (DELETE mySite/entity/123) and the entity to delete does not exist.

Because I was facing the same question (and with GET operations too). The answer is the very obvious:

In that case, the service should return an HTTP 404. Strictly speaking, a DELETE or a GET request for a resource that does not exist is not a "valid" request - ie. the client should not re-attempt that request because it will never succeed... The HTTP protocol defines 2 categories of problems - those with a 4xx status code, where the client must modify the request before retrying it, and those with a 5xx status code, which indicate that the service ran into trouble and the client should/could retry the same exact request without changing it.

As I'm perpetually wont to say to people who marvel that REST is some kind of wonderous thing... it's not. It's just "making HTTP requests". We do this every day in our browser. REST requests are no different. So if a resource doesn't exist... 404 the request.

Official word from Adobe PSIRT re Heartbleed and ColdFusion

G'day:
Adobe have completed their analysis of the Heartbleed issue in regards to their products, including ColdFusion, and have offered some guidance: "Heartbleed Update".

Odd behaviour with struct keys with dots in their names

G'day:
I've been looking at this one due to an interesting question on Stack Overflow: "Confusion in dynamic variable access in ColdFusion". I could not immediately see what the problem was, and it's taken me a coupla hours to work out what's going on.

Cool CFML open source project I just spotted

G'day:

Just a heads-up really. MisterDai (David Boyer) has a project on GitHub, cfbackport. The description in the readme says:

This project aims to make at least some functions from newer versions of Adobe
ColdFusion avilable in older versions.  For example, SessionInvalidate() is new
to CF10 but undocumented features make it possible in at least CF8+, possibly
even CF7.
Each set of functions is wrapped within an "if" statement to make sure they
aren't loaded if the version already supports them.

How cool is that idea? He's just uploaded a backport of queryExecute(), and there's a bunch of other stuff there too. This is definitely something the CFML community will benefit from, so would be good to get some more community participation going.

That's it. Nice work David.

--
Adam

I am one step closer to being unshackled from ColdFusion

G'day:
Note that that is ColdFusion, not CFML. I'm still onboard with CFML, and that's not likely to change in the mid-term. Today I switched all my hosted code from ColdFusion to Railo. So now my only connection to the Adobe product is my day job.

Open Letter to site admins I might be contacting in the near future about the security of your ColdFusion site

Hi:
If you are reading this article, it's probably down to one of two reasons:

1. you're one of my regular blog readers, in which case this will have just found its way in front of you just like anything else I write;
2. you are a person I have successfully contacted who - hopefully - the administrator of a ColdFusion-driven website that I have noticed as having some security issues.

The article is targeted at the second group of people. If I have contacted you directly, it is vitally important you read this, and follow-up on it.

Encourage Adobe to relocate /CFIDE/scripts

G'day:
I was listening to CFHour just now - another good podcast, fellas - and Scott mentioned that ColdFusion doesn't help its case keeping itself secure/locked down because assets for CFUI tags are homed in /CFIDE/scripts, and /CFIDE really mustn't be exposed to the outside world.

Whilst there are various options to move / rehome these, I've raised a ticket to get /CFIDE/scripts to somewhere else "Isolate the /CFIDE/scripts directory from the rest of /CFIDE" (3732913), which says this:

myArray.each()... extending the array whilst iterating..?

G'day:
I dunno what to think about some behaviour I'm seeing when iterating over an array with the .each() method.

Consider (but do not run!) this code:

numbers = ["one","two","three","four"];
numbers.each(function(value,index){
    if (value=="one") {
        numbers.append("five");
    }
    writeOutput("Index: #index#; value: #value#<br>");
});
writeDump(var=numbers);

An insight into the mind of a CFML developer

G'day:
I was going to respond to this on the blog I found it (the Adobe ColdFusion one), but I'll do it here instead so I'm not polluting their blog with my anguish / irritation. Be warned: this is a fairly mean-spirited article, and singles out an individual.

Survey: Adobe's approach to client communications regarding security issues

G'day:
I haven't done a survey for a while! This is a follow-up to my earlier article "It is Adobe's fault, OK?", and just to capture the zeitgeist.

Update:

This survey is now closed. The results are here: "Survey results: Adobe's approach to client communications regarding security issues ".

So here it is: "Adobe Communications", and the description text is:

This is just a quick survey to gauge how effective Adobe have been at communicating to their clients regarding security issues that have arisen in ColdFusion

There's seven questions: all bar one can be answered via a mouseclick, and the last asks for a comment. There's other boxes for comments along the way too.

I will always remind people that I do not target a statistically meaningful demographic, nor do I gather enough results to be sensibly analysed, but it is nice to see other people's opinions on stuff sometimes.

So go fill it out if you like. I'll summarise the results when the response stream dries up.

Cheers.

--
Adam