A Serious Development Editor In Your Browser

A preview of Visual Studio Code “for the Web” has been released a few days ago. This means that you can now develop code in any (modern) browser – even on an iPad: just head over to https://vscode.dev.

I have been a big fan of VSCodium, the “free/libre” version of Visual Studio Code, for quite some time now: I don’t need more for maintaining the ColdFusion, HTML, JavaScript and “classic” ASP code that make up the bulk of my daily work!

I know this is not the first editor that works in a browser, and it’s not yet a workable solution: many plugins will have to be adapted to work correctly in a browser setting. Nevertheless: I’m impressed.

Advertisement

Read Full Post »

The CFSCHEDULE Tag In CF11 Is Broken

A long time ago I created simple ColdFusion page to display the specifications of all the ScheduledTasks defined on the server. I can’t remember if that was while we running CF6 or CF8, but the principle was to read the ‘neocron.xml’ fil, extract all required info from it, and turn those data into a query object. Simple, and it worked well. Better yet: it continued to work when we moved  all code to ColdFusion 11.

By accident I found out that the <cfschedule> tag had been extended with a new action called ‘list’, returning a Query. Clearly, that would be a much simpler solution that what we did in the past. Hence I set out to replace the existing code, to get the content of the file and add it to a Query, with a single line <cfschedule action=”list” result=”qTasks” />. So far, so good.

But… There are a few issues.

The first issue is that there is a column called ‘group’. If you try to select that column in a Query of Queries, ColdFusion 11 spits out an error message:

There are ways to rename columns in a CF query object, even in Adobe’s ColdFusion. This post explain two of them: https://blog.simplicityweb.co.uk/125/renaming-cfml-query-columns. Going from Query to JSON, then adapting column names, and then going back from JSON to Query is certainly possible. But that is not really an improvement on my original solution.

I simplified my display of the Query a bit, ignoring the category grouping I had in my older code. Then I hit another issue.

When I tried to display the date and time a ScheduledTask had last executed, I was sorry to see that not all rows had a value – even though all ScheduledTasks had effectively been run at least once, and did indeed display correctly in the ColdFusion Administrator console as well as in my old solution (meaning the dates are correctly stored in the ‘neocron.xml’ file). Somehow the <cfschedule> tag does not deliver the ‘lastfire’/’last_fire’ values (yes, there are two columns with almost the same name and identical data in that query result) – perhaps because some of the ScheduledTasks have an ‘Expired’ status? Still, why not pass them on and let the developer decide when and how to deal with them? And why does the ColdFusion Administrator console display them correctly (because it does not use <cfschedule>, of course) ?

Last but not least, although the query results are generated by ColdFusion, the dates in this particular query are not accepted by the ‘LSDateFormat()’ function, which complained with messages like this one:

{ts '2021-11-04 15:20:00'} is an invalid date format.

I can only hope those issues with <cfschedule action=”list”> are solved in one of the later versions of ColdFusion. Or do we have to migrate to Lucee in order to find less bugs?

Read Full Post »

Nimble ColdFusion: It Runs On A PiZero

The Raspberry Pi is an old topic on this blog, going back to 2012. I have been wondering whether it would be possible to run ColdFusion (or rather: CFML) on it. That would make it a neat system to try out all kinds of things that I cannot do at work.

I should have known that I’m not the only one asking that question – others have provided answers.

Brad Wood has a PiBox up and running since 2015 or so. It runs on a Raspberry Pi 2 over WIFi, if I read his blog correctly. Too bad he stopped blogging on it in 2015.

And now there is a second Pi doing something similar, although (literally) on a smaller scale: CB on the Pi is running on a PiZero with just 512 MB of RAM. As mentioned on Slack: it’s a “$20 webserver, size of a large coin“!

Nice work, guys, even if it’s just a demonstration of what is possible rather than a small but actually productive application of both the Pi and CFML !

Read Full Post »

A CFLint Anomaly… Or A Bug?

I’m still developing software in ColdFusion, and yes: in order to keep the code base consistent I still use the CFML markup style. I also try to apply a maximum of helper tools before committing the code to versioning. Now that I use VSCodium as my IDE (it’s more than an editor!) I’m happy to include CFLint in that setup.

Here’s a tiny component to demonstrate an inconsistency in CFLint.

In this form, CFLint will complain with this message “Local variable someoutput is not used in function testLocalVariable. Consider removing it ( UNUSED_LOCAL_VARIABLE )”. OK, let’s do that.

But when you delete the line that defines the local variable, you’ll get another error message, saying “Variable someoutput is not declared with a var statement ( MISSING_VAR )”.

So in the second situation it will detect the fact that ‘someoutput’ is a local variable, while that’s not the case in the first. Strange, yes. A bug ? Possibly…

I have checked the CFLint issue list, and I did find a few tickets that signaled that CFLint is not detecting the use of local variables with <cfdocument> and QueryByQuery. But none of those mention the fact that in some checks the variable is detected, and in others not. So I added my observations to the issue list of the project: Inconsistent local variable detection? #713.

Read Full Post »

Will Mau Have Seven Lives, Like All Cats?

There is a new markup language on the market. As a Wikificionado I like markup languages better than using any wordprocessor – for my own writing I haven’t used a wordprocessor in many, many years. Even at work I only use Word when I have to, and that has been a while ago (that probably means all I write are emails and code). And bug reports and documentation get dropped into JSPWiki and Trac and Joplin – all I need is simple markup.

I like markup for regular writing, and I use it daily in tools like Trac and JSPWiki. The trouble, of course, is that each of those tools (and many others!) uses a slightly different markup scheme.

And now there is a new contender on offer: Mau.

I can see where it comes from: the author needed more than what any simple markup could offer. I too have at times been frustrated by the lack of feature X or Y in any markup scheme. It surprised me to see that he did not check out LaTeX, which as far as I know should have covered his requirements. But it would probably have been too steep a learning curve.

Back to Mau: I haven’t yet tried it, but I can see that it would be a very nice tool for writing documentation. However, for me the system should be an extension of Markdown, let’s say a SuperMarkdown or MarkdownPlusPlus, rather than another variant markup scheme with subtle differences from what I know.

I guess I am not the only one to dislike “yet another divergent markup scheme”. So far I haven’t seen much traction for Mau… although it is, in a way, a very cool project. I applaud Mau’s author for making the effort – he clearly thought this through. And who knows: perhaps Mau becomes wildly successful in the future?

Read Full Post »

Little Brother CFLint Has A Few Strange Default Rules (At Least In My View)

I like CFLint for its ability to assist me in writing better code. But some of the rules implemented in the “standard” version strike me as arbitrary (“standard” meaning the version without any additions). If there is some kind of master rulebook for writing CFML or CFScript, then there is no reference to that in the CFLint source code, nor on its website.

I find that CFLint conflicts with some of the code style rules that I have been applying for over a decade. Code styles are always somewhat arbitrary, of course. They depend on the experience and knowledge of its author(s), on the frameworks and code libraries used, on the styles used in other programming languages at the same company, on the quality assurance rules applied, and more.

That is why I struggle with some of the rules currently fixed in CFLint. Here’s an example. When I write scope names like “APPLICATION” and “ARGUMENTS” the “VariableNameChecker” rule in CFLint complains, telling me that scope names should never be written in capital letters. My reasoning for doing that nevertheless is simple: the names of these scopes have been reserved and fixed by Adobe, so you cannot use them for anything else. So going “allcaps” on them neatly sets them apart from variable and function names. With the current situation I have to disable the rule completely.

I would like to see this checker adapted so that I can specify whether I want scope names “allcaps” or “nocaps” (or even “camelCase” of “PascalCase”) in the CFLint configuration file. That way I could easily check whether I applied my own rule correctly, by adapting the config as needed, regardless of the default set by the CFLint developers. The same approach could be worthwhile for variable names, component names, and function names, of course.

There are probably a few more situations like that in CFLint. If I find the time I may have a look at the Java code, to see how this might be implemented (don’t hold your breath, though).

 

 

Read Full Post »

Little Brother Is Watching My CFML Code

I am getting used to working with VSCodium for my development work (VSCodium is essentially the same tool as Visual Studio Code). I chose VSCodium because it is a multiplatform tool, it is very flexible and extendable, and thus it has good support for many programming languages. What’s not to like?

One of the VSCodium extensions I’m trying out is CFLint. My ColdFusion development career is still stuck at CF11, and the tools I use to help me validate my code are indeed… a bit dated: I use a slightly adapted version of ‘VarScoper‘ (see my earlier comments on this) and the ‘CFML Complexity Metric Tool‘ (see https://github.com/NathanStrutz/CFML-Complexity-Metric-Tool), as well as an extensive series of unit test running in ‘cfcUnit‘ (sorry, its homepage no longer exists). Say what you want: any helper tool, even if it’s dated, is better than no tool.

CFLint is much more recent, and it handles CFScript as well as my trusty tag-based code. It’s caught a number of inconsistencies in my code, like unused variables, which is very good – less code equals less opportunities for errors. Using CFLint also removes an obstacle to my moving to CFScript, so yes I am progressing – even if it’s just at a slow pace ;-)

But I have a few niggles with CFLint; I guess I will have to create a few tickets in the project site on Github, and/or come up with a solution that’s acceptable to all other users of the tool as well. CFLint assumes that everyone codes in the same manner, according to the same rules. That is a bit assumption, and it clashes with some of the rules that I applied to my code. Not all of the situations are easily reconfigured with the options that CFLint (currently) allows. Here are a few of things I found… disturbing, at least for my use case.

• I can agree with the rule that .cfm/.cfml file names should not start with a capital letter. But for old-school ColdFusion developers like me there is no way to escape Adobe: ‘Application.cfm‘ absolutely has to start with a capital!
• Worse: the file starts with three comment lines, and CFLint seems to use that fact as a reason to repeat the message “The file Application.cfm should not start with a capital letter” three times…
• In general, I agree with the rule that variable names should be written in ‘camelCase‘ (or ‘PascalCase‘). But it would be nice to have the opportunity to list a few exceptions to that rule.
• So far, I haven’t seen a check for double variable declarations – my bad, or is it really missing?

All in all, after a bit of tweaking I now have a fairly usable CFLint setting in my ‘.cflintrc‘ file – it’s good to have a tool looking over my shoulder to catch inconsistencies, mistakes, typos and more.

Read Full Post »

PowerShell Quickie: List All IIS Sites And Their TLS Certificate

I’m a newcomer to managing TLS/SSL certificates for intranet sites and applications. Renewing all the bindings (2 per site) for dozens of sites is no fun in IIS… but I have not yet found the time to familiarise myself with PowerShell in a sufficient way to write a script to replace me ;-)

To help me nevertheless, I found and adapted a nice script, universally usable on all Windows servers running IIS to serve TLS/SSL sites:

Import-Module -Name WebAdministration

Get-ChildItem -Path IIS:SSLBindings | ForEach-Object -Process `
{
   if ($_.Sites)
      {
         $certificate = Get-ChildItem -Path CERT:LocalMachine/My |
            Where-Object -Property Thumbprint -EQ -Value $_.Thumbprint

         [PsCustomObject]@{
            Hostname       = $_.Host
            TLSCertificate = $certificate.FriendlyName
            ValidUntil     = $certificate.NotAfter
            Thumbprint     = $certificate.Thumbprint
         }
      }
}

This will list all the sites and the current certificate for the hostnames as well as their enddate. Nothing fancy, but very handy when trying to figure out which hostname you forget to handle!

PS. Yes, the backtick at the end of line three is essential… don’t leave it out.

Read Full Post »

Should You Build Your Own CMS?

The Content Management Systems (CMS) market is quite extensive: the well-known CMS Matrix website lists more than 1300 products! That doesn’t make a choice any easier, of course. Hence sometimes people say: “Let’s build our own CMS“.

Is that a good idea? What does it mean to build your own CMS? What advantages and disadvantages do you have to take into account when starting to write a CMS from scratch?

The article “Why Would You Write Your Own CMS?” is highly recommended to any developer and webmaster considering writing their own CMS. The author does not pretend to be exhaustive, but I think he manages to list the main characteristics of that process.

When all is said and done, the main reason I chose to write my own CMS is because I wanted to. The main benefit is that it’s precisely what I need, and the main drawback is that it took ages to build.

Now it is of course true that James Edwards built a system that is “precisely what he needed”: he is also the only user, so to speak. If you want to build your own CMS for the company, you have to consider additional disadvantages – and advantages, of course. I know from experience that one of those important advantages is the flexibility with which you can adapt the CMS to the inevitable changes within and around your company. And you cannot say that about many existing products …

On the other hand, a plea for “do it yourself” should not mean that you should not look at a number of content management platforms. Such a platform offers basic functionalities, and on top of that it will have one or more ways to add custom functions. The examples are well-known: Drupal, Joomla, WordPress, Typo3 and many others can be installed on your own servers; platforms such as Wix, BigCommerce, Shopify and Bitrix24 provide the hosting, so you only have to focus on the content.

Each type of solution has advantages and disadvantages, so there is no “best” solution for all possible situations. Studying, trying and comparing different solutions is the only way to find out what fits your needs!

You can read this post in dutch on the ‘innologos’ blog.

Read Full Post »

What About CVE-2021-21087, Adobe ?

Strange how things go: the “critical security issue” Adobe reported on March 22, 2021 seems to be less critical than originally thought – the severity of the issue has been lowered to “moderate” (whatever that means).

The offending line…? (Source: Dave’s Twitter feed)

The issue, of course, is that we have no way to verify what is going on: Adobe remains mum on the exact nature of the issue, refuses to engage with the ColdFusion community on the subject (cf. the CFML workspace on Slack), and as developers we can only ask the question: is this the support we’re supposed to pay for?

Read Full Post »

How Critical Is CVE-2021-21087 For Older ColdFusion Versions?

Adobe has reported a “critical” security issue with the latest versions of ColdFusion, although the page titled “Security updates available for Adobe ColdFusion | APSB21-16” currently does not give many details.

At work we’re still running ColdFusion 11, and that version is not mentioned in the report (probably because it is already out of support). Nevertheless I would to know whether CF11 is also concerned by this issue – if only to tell our IT security office that we have no problem with vulnerability CVE-2021-21087 in our configuration ;-)

The only information I have found so far is unofficial: if I understand things correctly, Dave Walker is telling us that the error is an unchecked input in the CFAJAX package:

The offending line…? (Source: Dave’s Twitter feed)

I would love to see confirmation of that, and I wonder: do earlier versions of ColdFusion already contain the same error?

Read Full Post »

Should AI Be Tested Like A Vaccine?

In Has Microsoft 365 Been Clinically Tested? James Robertson poses a few hard questions, and rightly so. I do not want to enter into the debate about the nature of AI (is it intelligent, or just algorithms?); regardless of the answer to that question what interests us here is the relevance, accuracy, usefulness, reliability and sustainability of the solutions offered – and of course, not just Microsoft but any provider of AI-based solutions should be able to provide us with clear answers to those questions.

One of the core problems with AI is bias, and in the words of Julia Powles and Helen Nissenbaum (in “The Seductive Diversion of ‘Solving’ Bias in Artificial Intelligence“) all AI “bias is social bias”. Even if we ignore the (much larger) problems AI bias can cause in society at large, there is the issue of how well an IA solution will work for company X if it was built/trained by a company on another continent, in a different culture, and even with a different company culture.

Will be be able to “Build our own AI”? What mechanisms and tools will we have to investigate the workings of an off-the-shelf AI? Should we avoid AI altogether (there is excellent SF literature that makes this point – try Frank Herbert’s “Dune”)? Or do we have to teach all AI the equivalent of Asimov’s three Laws of Robotics?

Thanks for the image, XKCD

Read Full Post »

As If We Didn’t Know: “Attackers Can Be Devious”

We live in an era of rapidly increasing digitalisation. Hence it’s no surprise that digital systems, however complex they may be, are the subject of increasingly sophisticated attacks. If you want proof of that, take a few hours and read “An iOS zero-click radio proximity exploit odyssey” by Google engineer Ian Beer. He explains how he discovered – and “exploited” – a vulnerability in Apple’s iOS that made it possible to take over an iOS device remotely without the user knowing what happened.

If you like programming, like me, you’ll find the story lacking in code but rich, very rich, in debugging techniques. Plus a lot of detective work and experimenting – in soft- and hardware. That’s what “hacking” is about, of course, and this story is a good illustration of just how devious you have to be!

Read Full Post »

So You Think *nix Commands Are Hard To Memorize?

It had been a while, many years actually, since I needed the Windows equivalent of “touch“. You don’t know that command? All it does is change to modification date and time of a file (or a series of files) to the current date and time of the computer. I used to turn to the Cygwin toolkit to get things done, in the days when corporate Windows PC’s weren’t so closed off and you could install your own tools.

Luckily for me there is an equivalent in Windows, on the command line. You can use this somewhat strange command to get the same result:

copy /b filename.ext +,,

Yes, that’s a plus sign followed by two commas at the end. I’m writing it up here because I know I won’t remember that correctly in a few days!

Read Full Post »

A Security Issue In ColdFusion, And How To Handle It

Charlie Arehart is a well-known ColdFusion specialist. Two days ago, he wrote a blog post explaining why one should be careful about securing ColdFusion Archive (CAR) files. The Adobe ColdFusion team isn’t very explicit about the issue, telling us in small print that we should delete those files after using them – but does not explain why we should do so. So Charlie explains it in great detail – if you work with Adobe ColdFusion, you should check out his blog.

Now Charlie only mentions versions 2016 and 2018 of ColdFusion, and I know that there are still developers around that work with older versions – actually, I’m one of those: ColdFusion 11 is what I support (and occasionally develop for) since 2015. I have been using  .car files for installing CF servers, and I had already been looking at what they contained. But I had never seen the ‘seed’ and ‘algorithm’ strings Charlie writes about, but I could have overlooked them. So I went in again today, to verify things.

I can confirm that .car files created in CF11 do NOT contain those strings. But before you start celebrating, I must warn you that this probably means that the situation is even worse than for more recent versions. Because CF11 will write (encrypted) passwords into a .car file, and yes: those files can be used to reconfigure another server, passwords included ! Which probably means that all CF11 runtimes use the same seed and algorithm, rendering  CF11.car files containing passwords even more insecure than later versions…

I did not know about all this until yesterday, but I seem to have circumvented the problem: I wrote an application to install datasource definitions on the servers rather than use CAR files. That offers multiple advantages: the code  (and hence the definitions) is under version control, and can only be accessed by authorized users; we have different definitions for different environments; etc. And the.car files I do use have no passwords in them – whew!

But it’s clear that it pays take this issue into account as a ColdFusion developer or administrator, whatever solution you choose (and Charlie has a few propositions).

Read Full Post »