displaying top 100 results
Portal Comment Comment on Adobe ColdFusion usage survey by Peter Freitag
Comment on Adobe ColdFusion usage survey by Peter Freitag
Portal Comment Comment on Oracle’s Java policy change by Peter Freitag
Comment on Oracle’s Java policy change by Peter Freitag
Portal Comment Comment on Oracle’s Java policy change by Peter Freitag
Comment on Oracle’s Java policy change by Peter Freitag
Portal Comment Comment on Union and diff of arrays by Peter Freitag
Comment on Union and diff of arrays by Peter Freitag
Portal Comment Comment on Oracle’s Java policy change by Peter Freitag
Comment on Oracle’s Java policy change by Peter Freitag
Comment on Oracle Java support for Adobe ColdFusion by Peter Freitag
Comment on Presentation Files of Adobe ColdFusion Summit 2018 by Peter Freitag
Comment on Oracle Java support for Adobe ColdFusion by Peter Freitag
Comment on How to use Performance Management Tools by Peter Freitag
Portal Comment Comment on No more GUI based installers for ColdFusion next? – Need your feedback by Peter Freitag
Comment on No more GUI based installers for ColdFusion next? – Need your feedback by Peter Freitag
Comment on ColdFusion (2018 release) Update 2, ColdFusion (2016 release) Update 8, and ColdFusion 11 Update 16 released by Peter Freitag
2673551 CF-4126418 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Also want to add that I installed the API manager after CF, using the installer bin that was in the cf root directory. Date Added :2016-02-01 19:21:14.0
Added By: PreRelease User User Name:Peter Freitag
Tracker Comment Comment on Security Analyzer Does not warn about CFMX_COMPAT algorithms by CFwatson U.
2673387 CF-4126660 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2015-07-27 19:14:23.0
2673517 CF-4126456 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-01-14 16:38:56.0
Tracker Comment Comment on Allowed file extensions for CFInclude tag should be in Secure Profile by CFwatson U.
2673520 CF-4126454 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-01-14 18:16:18.0
Tracker Comment Comment on Jetty folder includes unused JRE 162mb by CFwatson U.
2673521 CF-4126453 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-01-14 21:35:01.0
Tracker Comment Comment on CFSecurityAnalyzerServlet is loaded in web.xml when SecureProfile is enabled by CFwatson U.
2673524 CF-4126450 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-01-19 21:50:37.0
Tracker Comment Comment on FCKeditor version is out of date by CFwatson U.
2673526 CF-4126448 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-01-20 22:04:57.0
Tracker Comment Comment on Duplicate cfajax.js in /cf_scripts by CFwatson U.
2673529 CF-4126445 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-01-21 21:30:07.0
2673546 CF-4126424 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-01-29 19:09:30.0
Tracker Comment Comment on Linux Installer does not allow you to specify builtin server port by CFwatson U.
2673547 CF-4126423 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-01-29 19:30:01.0
Tracker Comment Comment on Terminology: XSS Attack by CFwatson U.
2673570 CF-4126395 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-02-08 16:53:57.0
2673571 CF-4126394 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-02-08 20:57:12.0
2682300 CFB-4130058 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-02-09 16:38:14.0
2682301 CFB-4130057 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Feature. Date Added :2016-02-09 16:45:40.0
2673596 CF-4124703 Documentation : General Peter Freitag ArrayNew is missing the unsynchronized argument added in CF2016 Problem Description:
ArrayNew doc: https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-a-b/arraynew.html is missing the unsynchronized argument
2673597 CF-4124702 Language : Functions Peter Freitag Add setting to Application.cfc to create arrays as unsynchronized by default Add an Application.cfc setting to enable creating arrays as unsynchronized by default. This will allow you to put this enhancement in place on a codebase that has
Tracker Issue Add Detailed JSON file to report export
2682301 CFB-4130057 Security Code Analyzer Peter Freitag Add Detailed JSON file to report export When you export a report it generates a nice HTML report but it would be very useful if it also dumped a JSON file in there (with all the details of the vulnerabilities found, file paths, etc) so you
2673387 CF-4126660 Security Analyzer Peter Freitag Security Analyzer Does not warn about CFMX_COMPAT algorithms Problem Description: It should warn that CFMX_COMPAT is not a secure encryption algorithm when algorithm is left out, or CFMX_COMPAT is specified.
Steps to Reproduce: Run security
Tracker Issue SQLi allowed inside any cfif
2673389 CF-4126656 Security Analyzer Peter Freitag SQLi allowed inside any cfif Duplicate ID: CF-4026201
Problem Description: If you wrap a variable with a it will not flag SQLi
Steps to Reproduce:
SELECT * FROM table
ORDER BY #url.sort#
Actual Result: Nothing
Tracker Issue Uninstall does not remove cf_scripts folder from wwwroot
2673517 CF-4126456 Installation/Config : Installer Peter Freitag Uninstall does not remove cf_scripts folder from wwwroot Problem Description: When you run the uninstaller it forgets to remove the cf_scripts folder from the wwwroot, it removes the CFIDE however.
Steps to Reproduce: Install
Tracker Issue Enable/Disable Servlets Installer UI is confusing
2673518 CF-4126455 Installation/Config : Installer Peter Freitag Enable/Disable Servlets Installer UI is confusing Problem Description: It is not readily clear if checking a box will enable or disable a servlet.
Steps to Reproduce: Run installer and go to screen that says Enabling
2673520 CF-4126454 Security : Secure profile Peter Freitag Allowed file extensions for CFInclude tag should be in Secure Profile Problem Description: The setting Allowed file extensions for CFInclude tag is not part of the secure profile -- so the default "*" is used. It should be set to cfm when
Tracker Issue Jetty folder includes unused JRE 162mb
2673521 CF-4126453 Installation/Config : Installer Peter Freitag Jetty folder includes unused JRE 162mb Problem Description: Jetty folder has a jre folder which is the same as the {cf.root}/jre folder, and Jetty is configured to use the {cf.root}/jre folder not the subfolder.
Steps to Reproduce
2673524 CF-4126450 Installation/Config Peter Freitag CFSecurityAnalyzerServlet is loaded in web.xml when SecureProfile is enabled Problem Description: The servlet definition for CFSecurityAnalyzerServlet is still loaded when secure profile is enabled (probably production profile as well
Tracker Issue FCKeditor version is out of date
2673526 CF-4126448 AJAX : UI Components Peter Freitag FCKeditor version is out of date Problem Description: The version of FCKeditor included with Raijin is 2.6.4.1, the current version of FCKeditor is 2.6.10 which includes several security updates.
FCKeditor should be updated to 2
Tracker Issue Duplicate cfajax.js in /cf_scripts
2673529 CF-4126445 AJAX Peter Freitag Duplicate cfajax.js in /cf_scripts Problem Description: There is a file /cf_scripts/cfajax.js that appears to be there by mistake. When you use cfajaxproxy it will make a request for the file /cf_scripts/ajax/cfajax.js
It doesn't make sense for the file
2673547 CF-4126423 Installation/Config Peter Freitag Linux Installer does not allow you to specify builtin server port Problem Description: The windows installer allows you to specify a port number for the builtin web server, but the linux installer does not.
Steps to Reproduce: Run installer
Tracker Issue No Linux Startup script for API Manager
2673551 CF-4126418 API Manager Peter Freitag No Linux Startup script for API Manager Problem Description: When you install the API Manager it does not install a startup script so it will not start upon reboot.
Steps to Reproduce: Run installer.
Actual Result: No startup script
Expected Result
Tracker Issue Terminology: XSS Attack
2673570 CF-4126395 Security Analyzer Peter Freitag Terminology: XSS Attack Problem Description: When security analyzer find an XSS vulnerability it puts them in a category called "XSS Attack" - the word attack is not really appropriate here, since "attack" is a verb. A better way to say it would
Tracker Issue Docs for booleanFormat are incorrect
2673648 CF-4119952 Documentation Peter Freitag Docs for booleanFormat are incorrect The adobe docs for `booleanFormat()` are incorrect, they say ?*Returns True, for a non-zero value; false for zero, false, and non-Boolean values, and an empty string ("").*? however `booleanFormat("bacon")` throws
2597221 CF-3085245 General Server Peter Freitag Bug 87176:-(Watson Migration Closure)Add onRequestStart method to Server Problem:
Add onRequestStart method to Server.cfc to allow a global onRequestStart handler to process for sites with lots of applications
Method:
Result:
Enhancement request
2599324 CF-3040329 AJAX : Plumbing Peter Freitag Bug 80423:(Watson Migration Closure)SerializeJSON function should have an argument to toggle the securejson prefix in cases where it is not needed Problem:
SerializeJSON function should have an argument to toggle the securejson prefix in cases where
Tracker Comment Comment on SQLi allowed inside any cfif by CFwatson U.
2673389 CF-4126656 CFwatson U. Added By:preethi Note Added: Hi Peter,
The above scenario has already been logged as a bug.
Hence closing the bug.
Thanks! Date Added :2015-07-30 06:13:10.0
Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2015-07-27 20:24:48.0
Portal Topic ColdFusion 2018 Lockdown Guide
Peter Freitag ColdFusion 2018 Lockdown Guide Looking for the ColdFusion 2018 Lockdown guide?
The post ColdFusion 2018 Lockdown Guide appeared first on ColdFusion. Blog,CF2018 Updates,ColdFusion 2018,2018,blog,cf2018 updates,coldfusion 2018,installation,security
Tracker Issue Add onAfterRequestEnd to Application.cfc
3122939 CF-4198749 Language : Application Framework : ApplicationCFC Peter Freitag Add onAfterRequestEnd to Application.cfc It would be useful to do some processing onAfterRequestEnd, that is after the response has been sent to the client. This would allow you to perform things like logging
Tracker Issue Add getCanonicalPath function
3122922 CF-4198748 File Management Peter Freitag Add getCanonicalPath function It would be useful to have a builtin getCanonicalPath function which would essentially just call the java.io.File getCanonicalPath function. The canonical path is useful for performing security checks on file paths.
Tracker Comment Comment on Security Analyzer False Positive on #DateFormat(now())# and certain other built-in functions. by CFwatson U.
2673556 CF-4126413 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-02-05 17:21:05.0
Tracker Issue CFAdmin Server Update Gray Spacing Issue
2610001 CF-3738195 Administrator Peter Freitag CFAdmin Server Update Gray Spacing Issue Duplicate ID: CF-3737169
Problem Description: The Server Update > Updates page has some spacing issues with the border. This didn't appear in IE, but shows up in the latest versions of Chrome and Firefox.
See
2610183 CF-3722462 Mobile Support Peter Freitag The cfclient_main.js file hard codes /CFIDE/scripts paths Problem Description:
/CFIDE/cfclient/cfclient_main.js hard codes CFIDE/scripts/ URI's which can be changed dynamically using the setting in ColdFusion Administrator "default script src
Tracker Comment Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by CFwatson U.
2673386 CF-4126661 CFwatson U. Added By:preethi Note Added: Hi Peter,
The above scenario has already been logged as a bug.
Hence closing the bug.
Thanks! Date Added :2015-07-30 06:15:19.0
Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2015-07-27 18:54:02.0
2673388 CF-4126659 CFwatson U. Added By:preethi Note Added: Hi Peter,
The above scenario has already been logged as a bug.
Hence closing the bug.
Thanks!
Date Added :2015-07-30 10:51:23.0
Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2015-07-27 19:18:37.0
2673386 CF-4126661 Security Analyzer Peter Freitag OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS Duplicate ID: CF-4026100
Problem Description: The encodeForHTML function is designed to be used in the body of a HTML tag only, not in a HTML attribute, not in CSS
2673388 CF-4126659 Security Analyzer Peter Freitag Security Analyzer XSS Warning on XmlFormat HTMLEditFormat Duplicate ID: CF-4026103
Problem Description: If I set url.id = Int(url.id) and then output XmlFormat(url.id) HTMLEditFormat(url.id) and simply #url.id# -- no warning is triggered for #url
2673523 CF-4126451 REST Services Peter Freitag New /api/ Mapping for Rest Services causes existing /api/ folder to fail Problem Description: Raijin adds a new default servlet mapping /api/* for REST services.
If my application already has a /api/ folder in its root it will break.
Steps
Tracker Issue Linux Installer points to cf11 lockdown guide
2673546 CF-4126424 Installation/Config Peter Freitag Linux Installer points to cf11 lockdown guide Problem Description:
In the linux installer on the "Select ColdFusion Server Profile" screen it says: "When the installation completes, please lock down your Server as per the
guidelines provided
Tracker Issue The s.gif fails to load when using non default scriptsrc
2673550 CF-4126420 AJAX Peter Freitag The s.gif fails to load when using non default scriptsrc Problem Description: When you have a cfwindow tag it will always attempt to load: /cf_scripts/scripts/ajax/resources/ext/images/default/s.gif even if you change the Default Script Src in the Cold
Tracker Issue Security Analyzer False Positive on #DateFormat(now())# and certain other built-in functions.
2673556 CF-4126413 Security Analyzer Peter Freitag Security Analyzer False Positive on #DateFormat(now())# and certain other built-in functions. Problem Description: Treats #DateFormat(now())# as SQL injection in a query, though it is safe.
Steps to Reproduce: Create a file with the following
Tracker Issue Security Analyzer says encoded files have syntax errors
2673571 CF-4126394 Security Analyzer Peter Freitag Security Analyzer says encoded files have syntax errors Related Bugs:
4131907 - Similar to ColdFusion Builder
4131907 - Similar to ColdFusion Builder
Problem Description: If there are files encoded with cfencode it says they were not scanned due
2614707 CF-3086162 Document Management : Office Integration Peter Freitag Bug 87161:-(Watson Migration Closure)Can't use ram disk to read cfspreadsheet Problem:
Can't use ram disk to read cfspreadsheet
Method:
Copy a file into ram disk, then try to read it using cfspreadsheet tag.
Result:
Says
2598010 CF-3041850 Language : Tags Peter Freitag Bug 83739:Any tag that writes a header, for example cfheader, cfcontent, cfmail, cfmailpart, cfmailparam should not allow CRLF characters because that allows the creation of an additional header Problem:
Any tag that writes a header, for example
Tracker Issue Security Analyzer Reports hardcode image paths
2682300 CFB-4130058 Security Code Analyzer Peter Freitag Security Analyzer Reports hardcode image paths Problem Description: The report only looks corrent when viewed on the machine that generated it, or on computers that have installed builder at the same path. You will find the image paths hard
2682303 CFB-4130055 Security Code Analyzer Peter Freitag Security Analyzer Times out after 30 seconds, unable to scan large dir Problem Description: I tried running a scan on an application with 900 files. The security analyzer times out after 30 seconds saying "Error message from the server. Read
Tracker Comment Comment on New /api/ Mapping for Rest Services causes existing /api/ folder to fail by CFwatson U.
:2016-01-21 03:12:43.0
Added By: PreRelease User User Name:Peter Freitag Note Added: What information do you need? Date Added :2016-01-20 21:59:59.0
Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-01-19 21:41:30.0
Tracker Comment Comment on Security Analyzer Fails Silently when not using builtin server by CFwatson U.
for "secure profile". Date Added :2016-01-13 02:57:46.0
Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-01-08 19:48:11.0
2673501 CF-4126479 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Good call on always using in-memory storage for CF administrator - is there an Application.cfc setting to control this? Date Added :2016-01-14 16:41:09.0
Added By:sanniset Note Added: Now verifying
2673550 CF-4126420 CFwatson U. Added By: PreRelease User User Name:Peter Freitag Note Added: Tested this on a Mac using the Feb7 build and it seams to be working now. I don't think I will have a chance to retest on Linux right now, but I would assume it was not a platform specific issue. Date Added
Portal Topic ColdFusion 2016 Security Enhancements: EncodeFor
Peter Freitag ColdFusion 2016 Security Enhancements: EncodeFor ColdFusion 2016 added a handy enhancement to make writing secure CFML code easier for developers. This enhancement helps developers protect large chunks of code from a security vulnerability known as Cross Site Scripting or XSS. What
Tracker Issue Add isFile and isDirectory functions
2608351 CF-4116201 File Management Peter Freitag Add isFile and isDirectory functions Currently if you want to determine if a path is pointing to a file or a directory you need to use the getFileInfo function and look at the type key of the struct returned. The getFileInfo function throws
2597552 CF-3043568 Language Peter Freitag Bug 86654:HMAC’s or Hash-based Message Authentication Code’s are becoming a fairly standard requirement when working with various API’s Problem:
HMAC’s or Hash-based Message Authentication Code’s are becoming a fairly standard requirement when working
2597642 CF-3043067 Security : SSL Peter Freitag Bug 85814:-(Watson Migration Closure)Need better error message than peer not authenticated when there is a SSL problem with CFHTTP Problem:
Need better error message than peer not authenticated when there is a SSL problem with CFHTTP.
Method
2682291 CFB-4130071 Security Code Analyzer Peter Freitag Security Analyzer Fails Silently when not using builtin server Problem Description:
When you have a server setup with secure profile and try to use the security analyzer with it, the security analyzer fails silently. The request to the CF
2609987 CF-3739003 Administrator Peter Freitag Unable to Decrease Memory Limit per Application for In-Memory Virtual File System Problem Description: If you decrease both the Memory Limit for In-Memory Virtual File System AND the Memory Limit per Application for In-Memory Virtual File System
2610033 CF-3737264 Installation/Config Peter Freitag SecureProfile should not install Example Datasources, Gateways, or Solr Collections Problem Description: When selecting secure profile, the installer still adds example/demo datasources, event gateway instances and solr collections. These things
Tracker Issue Error in init script when created using cf-init.sh
2610212 CF-3719102 Installation/Config Peter Freitag Error in init script when created using cf-init.sh Problem Description:
I had to run cf-init.sh to create the startup script in /etc/init.d/ since the installer didn't do this for me (filed bug for this #3719096). The init script that it creates
2610213 CF-3719096 Installation/Config Peter Freitag Linux Installer does not Start ColdFusion on system init when selected Problem Description:
Ran installer, and selected "Start ColdFusion on system init" but no start script was added to /etc/init.d/
Steps to Reproduce:
Run installer
Tracker Issue ColdFusion AMI's default to 512MB max heap
2612241 CF-3535998 Installation/Config Peter Freitag ColdFusion AMI's default to 512MB max heap Problem Description:
The ColdFusion AMI's default to 512 max heap size, this should be increased to a higher value especially on large, x-large instances which have at least 7.5GB of Ram.
Steps
Tracker Issue Unable to specify Cookie Timeout of -1 in Administrator
2613387 CF-3326488 Security Peter Freitag Unable to specify Cookie Timeout of -1 in Administrator Problem Description: In Application.cfc you can specify this.sessioncookie.timeout=-1 however you can't specify a timeout of -1 server wide in the ColdFusion administrator.
Steps to Reproduce: Go
2613388 CF-3325996 Web Container (Tomcat) Peter Freitag Status command fails in Linux Startup Script when Default Shell Empty Duplicate ID: CF-3339175
Problem Description: If you have setup your ColdFusion user on linux with a default shell of something like /sbin/nologin when you try to run /etc
4019926 CF-4201329 Language : Tags Peter Freitag The encodeFor value is not passed to nested cfoutput tags Problem Description: If you have a cfoutput tag with encodeFor specified it does not apply the encoding to nested cfoutput tags. The entire point of encodeFor is to make it easy for developers
is needed. Date Added :2016-01-15 14:23:26.0
Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-01-14 17:56:17.0
Tracker Comment Comment on Security Analyzer Times out after 30 seconds, unable to scan large dir by CFwatson U.
just run.
Date Added :2016-03-17 06:19:13.0
Added By: PreRelease User User Name:Peter Freitag Note Added: Yes that setting was the trick - I increased the timeout to 300 seconds and the scan completed on the large file set.
Rather than just closing the bug, I would urge you to consider as David
Tracker Issue Ubuntu Not supported in cf-init.run.sh
2609762 CF-3781603 Installation/Config : Scripts Peter Freitag Ubuntu Not supported in cf-init.run.sh Problem Description: Installing CF11 on Ubuntu it does not start CF automatically (does not setup a script in /etc/init.d/) even though I checked the option to start on system init during
Tracker Issue Hard Coded References to /CFIDE/scripts
2610031 CF-3737272 AJAX Peter Freitag Hard Coded References to /CFIDE/scripts Problem Description: There are several hard coded references to /CFIDE/scripts/ -- the /CFIDE/scripts path can be changed in the ColdFusion administrator causing the features that rely on a hard coded value to fail
2612402 CF-3515644 Net Protocols : HTTP Peter Freitag CFHTTP with compression="none" fails to decode deflated http response Problem Description:
When specifying compression="none" in the tag or if specifying the headers:
(Which appears to be equivalent to what compression="none" does apparently
Tracker Issue MySQL 5.6 Unable to Execute Queries
2612466 CF-3506758 Database Peter Freitag MySQL 5.6 Unable to Execute Queries Problem Description:
The MySQL JDBC Driver that ships with ColdFusion makes calls with SET OPTION, which has been deprecated in favor of SET (without OPTION) for some time. MySQL 5.6 removes support for SET OPTION
Tracker Issue Image Functions All Fail on Mac
2608766 CF-4010041 CFIMAGE Peter Freitag Image Functions All Fail on Mac Problem Description:
Any image function I try to use fails, all output to the page stops at the point where the image function is executed.
Steps to Reproduce:
Run this code:
BEGIN
Hello?
Same thing happens for any
Tracker Issue Using Redis for Session Management Fails
2673501 CF-4126479 Core Runtime : Session Management Peter Freitag Using Redis for Session Management Fails Problem Description: Set session management to Redis server installed locally, restarted the server and unable to login to CF Administrator due to session issues.
Steps to Reproduce