tracker issue : CF-3710270

select a category, or use search below
(searches all categories and all time range)
Title:

Can no longer include non CFML files

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/Duplicate

Reporter/Name(from Bugbase): Adam Cameron / Adam Cameron (Adam Cameron)

Created: 02/19/2014

Components: Language

Versions: 11.0

Failure Type:

Found In Build/Fixed In Build: PublicBeta /

Priority/Frequency: Major / All users will encounter

Locale/System: English / Platforms All

Vote Count: 7

Duplicate ID:	CF-3710326

SSIA, really.

Repro:
<cfinclude template="junk.js">

Error:
Invalid template junk.js provided for CFINCLUDE tag.
CFINCLUDE tag only supports including ColdFusion templates.

One has always been able to include any sort of file in ColdFusion. This is a regression.

It also completely prevents me from using the beta.

-- 
Adam

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3710270

External Customer Info:
External Company:  
External Customer Name: Adam Cameron.
External Customer Email:  
External Test Config: My Hardware and Environment details:

Attachments:

Comments:

This will break a number of existing apps. Is there a reason for the change?
Vote by External U.
13487 | February 19, 2014 03:11:56 PM GMT
Apparently this is configurable. Still trying to find the setting, but will report back when I do. It should be OFF by default though!! -- Adam
Comment by External U.
13479 | February 19, 2014 03:22:18 PM GMT
I can be convinced of defaulting to ON *if* there is a substantial reduction in security risk from it to offset the inconvenience. The functionality could be changed to simply include and not parse the file as CFML. Minimally, the error message should contain information about changing the configuration so when people run into this while upgrading they'll know what to do (as opposed to Adam who assumed he had no workaround).
Comment by External U.
13480 | February 19, 2014 03:28:58 PM GMT
Unless there's some legitimate explanation as to how this improves security ( see https://prerelease.adobe.com/project/forum/thread.html?cap=B8CDVAAE-3274660F14CB987A125D44F0FCBC5&forid={AEC1AD04-63EA-4E14-831D-1E01029A3B26}&topid={9B7F920B-DEF1-4F27-B9F2-4B6BFB6DE500} for a discussion ), this just doesn't make sense to me. A lot of powerful, dynamic stuffs can be done with cfinclude and non-CFML files ( we use .config files in our framework ), and I personally don't see the value in this.
Comment by External U.
13481 | February 19, 2014 03:36:53 PM GMT
Unless there's some legitimate explanation as to how this improves security ( see https://prerelease.adobe.com/project/forum/thread.html?cap=B8CDVAAE-3274660F14CB987A125D44F0FCBC5&forid={AEC1AD04-63EA-4E14-831D-1E01029A3B26}&topid={9B7F920B-DEF1-4F27-B9F2-4B6BFB6DE500} for a discussion ), this just doesn't make sense to me. A lot of powerful, dynamic stuffs can be done with cfinclude and non-CFML files ( we use .config files in our framework ), and I personally don't see the value in this.
Vote by External U.
13488 | February 19, 2014 03:37:19 PM GMT
Creayt, the public can't see the prerelease threads. And... erm... you're under NDA so you can't share 'em anyhow. Do you, by any chance, know how to switch this bloody feature off? I've checked all the XML files and any other file that mentions "cfinclude" or "include" and can see no setting. Cheers. -- Adam
Comment by External U.
13482 | February 19, 2014 04:48:39 PM GMT
Oops. I just followed a link and didn't even notice the difference. Here you go: "Vamseekrishna Manneboina: Yes, this was done as part of a security measure. You can now only include CFM/CFML files by default. You can specify additional extensions via a property called allowedextforinclude in neo-runtime.xml. By default, HTM and HTML file extensions are already added to this list/property, thereby allowing for inclusion of HTM and HTML files too by default."
Comment by External U.
13483 | February 19, 2014 04:57:10 PM GMT
Should be an over-ridable setting on a per-application basis (Application.cfm and Application.cfc).
Vote by External U.
13489 | February 19, 2014 05:35:16 PM GMT
I have a library of .inc and .sql files that I use with cfinclude. This change to CF11 breaks a few of my apps. Please specifically identify the security issue here? I cannot think of one at all. Please remove this nonsense restriction.
Vote by External U.
13490 | February 19, 2014 09:35:21 PM GMT
Considering how important "backward compatibility" is when denying so many enhancement requests, to break backward compatibility like this in a way that can only be overridden by manually modifying server-wide configuration files and restarting the service is insane! Suggestion: add a wildcard to the XML file setting and make that the default. Document how admins can change the XML setting to tighten security if they wish. That will maintain backward compatibility.
Vote by External U.
13491 | February 20, 2014 03:43:31 PM GMT
Same reason as on Bug #CF-3710326 ( https://bugbase.adobe.com/index.cfm?event=selectBug&CFGRIDKEY=CF-3710326 ) - it breaks existing applications and no explanation of the claimed "security measure" has been given.
Vote by External U.
13492 | February 23, 2014 09:37:40 AM GMT
We have another bug for this and Pavan has already fixed it. He will check in the change and mark both of them as fixed.
Comment by Rupesh K.
13484 | February 26, 2014 11:48:47 PM GMT
Fixed the bug CF-3710326 which is similar to this bug Added the new change. The new behavior will be 1) By default only cfm files gets compiled in cfinclude tag and all other file types gets included statically. 2) The key allowedextforinclude now can be specified at the application as well. 3) Added the setting to Server settings -> settings page 4) If wildcard(*) is specified in the value all files will be compiled. Wildcard support is added at both server and application level.
Comment by S V.
13485 | February 27, 2014 08:19:54 AM GMT
Thank you! This seems like a good way to fix the complaint (and what you should have done in the first place!). It will still break some code, but with a server-level setting it will be easy to allow old code to run until it has been updated.
Comment by External U.
13486 | February 27, 2014 10:59:38 AM GMT
yeah, i just tried running colddoc for the first time on 11, and it threw an exception
Vote by External U.
13493 | May 08, 2015 08:30:49 AM GMT