Showing posts with label Railo. Show all posts
Showing posts with label Railo. Show all posts

Wednesday 23 September 2015

ColdFusion / Lucee: the first two things I do when I find a new CFML site

G'day:
I just had to email yet another ColdFusion-based website about security holes in their website. Which I found via a Google search result when searching for [something else]. It'll be interesting to see if they do anything about it.

If you run a ColdFusion website, do this:

http://yourdomain.com/CFIDE/administrator

Or on a Lucee website:

http://yourdomain.com/lucee/admin/web.cfm
http://yourdomain.com/lucee/admin/server.cfm

Or on Railo:

http://yourdomain.com/railo-context/admin/web.cfm
http://yourdomain.com/railo-context/admin/server.cfm

If you see anything other than a 404 page, your site is possibly insecure. You must not expose your admin UI to the public.

Then try this:

http://yourdomain.com/Application.cfm

If you get a CFML error message instead of your web server error page, you are also emitting information about your site you should not be.

Whenever I hear about a CFML website, I check those two things. depressingly often I find them not secure. And note: if you're in the habit of announcing the launch of new CFML-driven websites, make sure you've done this stuff first.

As I have said before: "Don't advertise yourself as a CFML website". Ideally you should not even be exposing URLs which have a .cfm extension, as this is giving away information you should not be giving away. That said, I would not worry too much about that, but definitely do worry about having you CF Administrator exposed.

What you really ought to do whenever you are going to launch a new CFML-driven website is engage Foundeo (disclosure: I have nothing to do with Foundeo, and I am making this recommendation solely because I respect the work they do) to do a security audit for you:  HackMyCF. They'll check all sorts of stuff for you, and make sure you're secure. And you really must do this sort of thing as a matter of course.

Don't leave yourself exposed and become one of those news stories.

--
Adam

Friday 3 July 2015

Critical Lucee Update (also attn Railo users)

G'day:
There's a security patch for Lucee released today, and if you're running Lucee 4.5, you really must apply it.

Update:

Actually don't do what I say here. LAS have ballsed-up and rolled this critical fix in with a bunch of other fixes, and as a result, I can't confidently say you should automatically apply this fix. The fix they're espousing needs to go through full regression testing on your system, rather than being a quick fix: I know of at least one upgrade that has failed because of this. I'm fucked off about having delivered this message and the having to back out of it, and I am following it up.


Lucee have released a blog article about it: "Lucee Stable Release - Security Update Included", and the executive summary is:

Today Lucee would like to announce the latest 4.5 stable release and point out that this release includes a very important security update, so we are recommending that you update to this release as soon as possible. We are however not releasing details of the security issue at this time for several reasons.

Friday 12 June 2015

CFML/Lucee/Railo: Geoff Bowers does a good job of presenting Lucee's position on things

G'day:
Kai and Mark (with guest Geoff Bowers) have released a fascinating 2DDU today (depending on which timezone you're in). 'ere 'tis: "Episode 38 - Lucee, the fork and open-source licenses".

If you're interested in the whole Railo v Lucee thing ("Railo speaks at long last", "A message from the majority shareholder of The Railo Company", and all manner of other conversations about the place), or have concerns - I fall into the latter group - Geoff does a very good job of presenting Lucee's situation. It's certainly restored a lot of my confidence in the situation (from Lucee's perspective), which given how cynical I am, represents a pretty good effort on his part.

Nice one.

Anyway, go listen to it.

--
Adam


Thursday 4 June 2015

Railo: one month later and...?

G'day:
Just a quick and vapid observation that all this - "Railo speaks at long last" / "A message from the majority shareholder of The Railo Company" - happened a month ago today. The following day I posted a number of questions for Railo, by way of requesting clarification: "Questions for Railo".

This is just a quick note that I have yet to hear back from them, although I am still trying. I've also been keeping an eye on the Railo Google Group, and there's nothing there either.

Anyway, I just figured that I should mention I am still trying to rattle cages. I am bloody interested to hear if there will be any phoenix-like activity from the Railo project.

Needless to say if/when I do hear anything, or find any further info, I'll share it.

Righto.

--
Adam

Tuesday 12 May 2015

Railo doesn't speak

G'day:
Last week Railo contacted me and asked me to raise awareness of a new blog article they had published (their article: "A message from the majority shareholder of The Railo Company"; my initial reaction: "Railo speaks at long last"). I duly mentioned it in an article of my own, as well as a follow-up article ("Questions for Railo") asking some questions that sprang to my mind and a few others from the peanut gallery.

I was hoping Railo might've responded to these questions because their article did kinda elicit more questions than it answered. However now there's been absolute radio silence from them for a week, so this raises even more question marks.

Tuesday 5 May 2015

This Railo v Lucee thing: a well-balanced reaction (from someone else)

G'day:
I had a response to make to a comment this evening, but Ron Stewart beat me to it, saying pretty much what I'd've said, except better. And more politely. I wasn't going to bother being polite.

'ere' 't'is.

It's in response to Dom's comment, which was a slightly befuddling reaction to my article this morning, "Questions for Railo". Dom's post seemed to take offence at the fact I delivered inconvenient information, and I have an opinion which is contrary to the zeitgeist. And that I have derided some of the less coherent reaction I've been seeing. Which is odd, cos he's read this blog before.

Anyway, I was gonna reply after work, but I've been trumped by Ron who's written what I would have said (like I said above).


@Dominic: I'm not one for putting words in Adam's mouth (seems dangerous to me) but I too was a little surprised by how some people responded either on Twitter or in the comments on the Google Groups posting in a manner that either

(a) seemed (to me) to lose sight of what I thought was the primary basis for the disagreement between 4FTI and the people behind the Lucee project: some sort of contractual agreement regarding IP rights, or

(b) automatically assumed that the entity behind the post was automatically wrong, without grounds for their position, some sort of bad guy, or out specifically to harm the Lucee project (they may be any or all of those things... or they may not be).

There's a great deal about all of this that we on the outside simply don't know at this point in time, and to automatically assume that the entity behind the post on the Railo blog has no basis for their position and/or for addressing what they perceive as a grievance or breach of contract through litigation is probably unwise. The claims made by the entity behind the blog post on the Railo site may be without merit... or they may not be. We just don't know.

As I posted on Twitter, the underlying disagreement between the two sides in this case is troubling to me (I used the word "disturbing" in my tweet) because it, at best, will likely be a distraction for continued development of the Lucee project until it is resolved. I also noted that that the cynical part of me was sort of expecting this given the protracted silence from the Railo side since the Lucee project began... given what we had publically heard about financial backing for and commitment to the long-term future of CFML through Railo, it seemed quite likely to me that the entities backing Railo would be quiet that long if they were trying to figure out what this meant for their investment and their future... maybe I was reading too much into the silence. I think we now have some idea of where they stand.

I saw some of the reaction as a surprising rush to judgment, given how little any of us know about the circumstances behind the principals leaving the Railo side, any contractual agreements they may or may not have had with the Railo side, conversations that may have occurred between the two sides since they left the Railo project as they two sides may or may not have attempted to come to some sort of agreement on points of dispute. I don't think we know enough at this point to start talking about who's right, wrong, good, bad, or anything else in this case.

Does all of this help the CFML community? Or Railo? Or Lucee? No, almost certainly not... but neither does our jumping to conclusions about "right" and "wrong" or "good" and "bad" in situations where we aren't currently--and may never be--privy to all of the relevant facts.

I think Adam is/was doing the same thing to the CFML community that he often does with the vendors: taking them to task for what he sees as questionable reasoning. I don't see his position as "pandering" or even an extreme case of playing the devil's advocate. But that's just my perspective...

I'm curious about the answers to some of the questions he's posed here (particularly the forward-looking ones), and to see how this plays out.


Questions for Railo

G'day:
Well: what a flurry of hysteria we had yesterday, eh? (if you missed it: "Railo speaks at long last", then go to the Lucee Google Group or Twitter for more reaction). I can't say I was particularly impressed with some quarters of the CFML community with their froth-based conspiracy theorisation, but I think this reflected mostly on themselves more than anyone else. I'm also surprised at the road from Palm Sunday-esque adulation to shrieks of "Crucify Them!" Railo have apparently transgressed over the last few months. We've definitely split from the Judean People's Front to create the People's Front of Judea, it seems.

Still... There's some sensible questions to be asked off the back of all this. Some of these come from me, some of them are questions others have asked which seem to have merit (at least to some degree).

Monday 4 May 2015

Railo speaks at long last

G'day:
I'm going to get this out quickly without any analysis (I've not even finished reading it!), but Railo - yeah Railo, not Lucee - have just posted this on their blog ("A message from the majority shareholder of The Railo Company"). The whole thing warrants reading and digesting, but this is they key section:

What this means for Lucee

Again, we support the spirit and intent of the Lucee initiative, although we fail to see the advantage of another CFML platform. However, the use and development of Railo to release what is now being “packaged” as Lucee 5 was not authorized by TRC and, therefore, remains the property of TRC.

For this reason, we are compelled to provide notice that any use of Railo by Lucee or by its membership may constitute an unlawful infringement of TRC’s intellectual property rights. We strongly urge you or your customers to request that Lucee and its founders warrant that nothing contained in any Lucee release is subject to claims from third parties including TRC and that all IP is free and clear to Lucee. We are confident that no such warranty can or will be provided.

All of these internal issues will take time to sort out and we will try to keep you updated throughout.

Hmmm.

My initial reaction is that one would be foolhardy to run with Lucee whilst there's clearly some issues to "iron out". It might end up just being an agreement being made with TRC to allow them to distribute Lucee. Or it might mean "Lucee" is not allowed to exist, legally. I think this is up in the air at the moment.

That said: I'm no lawyer, so what do I know.

Update:

Alex has pointed this out:

This isn’t Railo speaking this is another TRC shareholder and the article title should reflect that, [...] they are a majority shareholder [...] TRC's other shareholders don’t agree with the position being taken?
(full context is in his comment below. I have edited that down, and this expresses his intent, but not his exact wording).

My reaction to that is this:

It's the Railo blog and they're talking about Railo stuff, so that's "Railo speaks..." in my books. I'm not that fussed by who owns what shares, and realistically I think this messaging *is* the official word re Railo whether all share holders agree or not.

TBH, I'm not sure this hair-splitting is helpful or meaningful, but I've now had this conversation three times with various people, so I figured I should get my reaction front and centre.

One thing I do know... this squabbling between Railo & Lucee is not helpful to anyone in the CFML community (except perhaps Adobe). And I say that in a non-partisan way. I don't know enough to know who's the right or the wrong party in any of this.

I think the body left worst off is the CFML community though.

Update, after some thought:

These are my initial thoughts, as posted in a comment on Railo's blog article:

Very interesting news! Not entirely helpful from the perspective of the continuity of the CFML community, but interesting nevertheless.

What would be *best* is if you @ TRC and those @ LAS could swallow their egos and their differences, ditch Lucee, and go back to just doing Railo.

I'm fairly certain that won't happen though :-/

Best of luck, and I will definitely be "watching this space"!


What are your own thoughts on any of this?

--
Adam

Saturday 14 February 2015

Trying to get clarification about the status / future of Railo

G'day:
I figured I had better try to find out the official word from The Railo Company as to the status of the Railo open source project, and what the future for it is likely to be. I have written this open letter to Railo:

Thursday 29 January 2015

Lucee

G'day:
OK, here it is. Today it was announced that Railo has been forked, and there is a new CFML engine in the community: Lucee.



I am currently at the product release event, and Pixl8 Interactive's offices in Clapham, London (", England", for my USAn readers).

What's most interesting about this is that the lead dev on Railo - Micha - has moved onto the Lucee project. And I understand Igal is also moving from Railo to Lucee too.

Lucee is available now. I've had the briefest of plays with it, and it seems as solid as one would expect of a product Micha has been working on.

The strapline from their site says this:

Lucee is a light-weight dynamic scripting language for the JVM that enables the rapid development of simple to highly sophisticated web applications. Lucee is made for the web environment, it simplifies common tasks for this environment.

I've been able to ask the Lucee Team a few questions, trying to second guess what the community would be wondering.

Tuesday 9 December 2014

"George", eh?

G'day:
So I heard the first mention of Railo 5 in quite a while from the Railo guys today, an oblique reference from Micha:

In George (Railo 4.2 successor) the release date is set by the build process in the default.properties file, the location for this information has moved because this file is common practice with OSGi.

Two things interest me:

  • things have been very quiet re Railo 5George recently, after a lot of initial chatter about it;
  • odd to describe it as "Railo 4.2 successor" when previously they've been very open about referring to it as "Railo 5". Dunno what to make of that. I might just be reading too much into casual words on a Google group.


Anyway, it's jolly good to hear mention of it. I just bloody wish they'd hurry up and release the damned thing. At least to a public beta or something! It sounds like it's really going to be a great step forward for CFML, and will probably give Adobe a bit of a fright, I reckon.

Can't wait!

--
Adam


PS: thanks to John Whish for helping me get this article up onto coldfusionbloggers.org, which I cannot access from this machine @ present, for some reason.

Thursday 20 November 2014

Railo "unexpected" behaviour: opinions solicited

G'day:
This will be one of those really quick ones as I have precisely 19min of lunchtime left to write it.

Ryan Guill found some oddness with Railo yesterday, with code like this:

function tikiOtinga(required string s required numeric i){
    writeDump(arguments);
}

(his example wasn't in Maori, but hey).

Can you spot what's wrong with it?

Tuesday 18 November 2014

What should CFML's deleteAt() method return?

G'day:
This will be quick, as I'm out of time before I'm due to start work.

As I mentioned in my earlier article ("Weekend quiz: my answer (CFML version)"), Railo's (and ColdFusion's for that matter) Array.deleteAt() method returns a pointless boolean, rather than something useful. What do you think it should return?

Saturday 1 November 2014

Railo won the Bitnami competition

G'day:
This just came in the e-post from Bitnami:

Hi Adam,

Thank you for voting to add Railo to the Bitnami library in our monthly contest. Good news - Railo received the most votes and will soon become part of Bitnami!. We will send an email letting you know as soon as it is available for you to try out.

Given that this contest has come to an end, a new one has now started. If there are other apps you would like to see us add to Bitnami, be sure to vote for them to get them added next!

- The Bitnami Team
Good work, Railo & CFML community.

--
Adam




Friday 24 October 2014

Would you install a ColdFusion hotfix/updater/patch without testing?

G'day:
First things first, this is my position (and the one I believe anyone who's not a lunatic should have): "bloody hell no, are you insane?"

But I polled the community yesterday, via Twitter:



Friday 3 October 2014

Good work, CFML community

G'day:
A few days ago I knocked out a quick article about the Bitnami contest that Railo is a participant in: "Ballot stuffing: vote for Railo".

At the time Railo was on the first page of participants, but well down the list.

But the CFML community has really stepped up here I think, because as I type this, Railo is now in the lead (425 votes; second place 423). I dunno when the contest ends, and the margin is still really tight so if you want to support CFML and encourage getting the word about it out there more, go and vote.

Update:


Blimey, whilst I was writing this, Railo's vote went up to 461!

And good work everyone who did vote, and who did circulate the word.

--
Adam

Tuesday 30 September 2014

Ballot stuffing: vote for Railo

G'day:
No, I'm really not advocating ballot-stuffing. However someone's creating a poll to get Railo added to Bitnami's stack. This would improve Railo and CFML's market penetration, so it has to be a good thing. And the sort of thing the vendor's themselves ought to be promoting.

Even if you're not a Railo user or advocate, and are staunchly a ColdFusion fanboi (you know who you are), this must be good for CFML.

Go vote. Here: https://bitnami.com/stack/railo.

--
Adam

Friday 19 September 2014

I would actually love to see your Railo 5.x wishlist...

G'day:
That was a comment from Gert against the article "ColdFusion 12" article.

Fair enough.

I started writing my response as a comment, but whilst typing it my interest was piqued regarding one of my own thought processes. It would just never occur to me to write an article about a wishlist for Railo. And I don't know why. I prefer the product to ColdFusion (which is easy: it's just better, as are the company & personnel behind it), but this sort of article doesn't seem necessary to me, in a Railo context. I suppose it's because getting Adobe to do anything sensible with CFML is a hard-fought battle, and left to their own devices they either mess shit up, or come up with stuff like <cfclient>. So they need strong direction / coercion from the community. Conversely with Railo, they already have a better idea of what a CFML developer needs, and often come up with the goods before it occurs to anyone to ask for it. Or if one does make a good case on either the Google Group or Jira, they just crack on with it and do it.

So it's not neglect of Railo that doesn't have me writing "My Wishlist for Railo 5.x" etc. It's just never been necessary.

Equally in the back of my mind I know the Railo guys will take on board anything anyone suggests for ColdFusion, and either implement it first, or go "nah, not a good fit for Railo". So I suppose my article would better be titled "CFML-next Wishlist".

Still, Gert asked, so Gert gets. Here's what I said in the comment, before promoting it to being an article:

Tuesday 16 September 2014

Documentation for CFScript

G'day:
I am going to attempt to document all of CFScript, as a resource for people migrating from old-school tag-based code to script-based code. The reason I am doing this is because neither ColdFusion nor Railo provide much (or in the case of Railo: any) useful documentation of CFScript.

This is not a document for converting tags to script. It is not written from a point of view of "if you use <cfsometag> then you need to instead use [some script construct]". It simply documents CFScript. It does - however - set out how to perform all CFML functionality using CFScript. It is also not an exercise in teaching CFML (or at least the script part). It assumes you know what you're doing, and is purely a reference. I am contemplating another article / series of articles which teach CFML correctly (the various resources that exist to do this all take the wrong approach, and are a barrier to CFML uptake, IMO). [ed: obviously that plan has been permanently shelved now].

Also there won't be a great narrative structure to this article. It's just a loosely-structured series of sections covering coding topics.

I assume Railo 4.2 or ColdFusion 11, except where stated.

Update:

I have ported this stuff to GitHub. See "CFScript docs now on GitHub". The version below is a mirror of that. Given it's on GitHub, if you see any problems or want to augment these docs: DIY, and send me a pull request. Cheers.