Archive for the ‘ColdFusion’ Category

Charlie Arehart is a well-known ColdFusion specialist. Two days ago, he wrote a blog post explaining why one should be careful about securing ColdFusion Archive (CAR) files. The Adobe ColdFusion team isn’t very explicit about the issue, telling us in small print that we should delete those files after using them – but does not explain why we should do so. So Charlie explains it in great detail – if you work with Adobe ColdFusion, you should check out his blog.

Now Charlie only mentions versions 2016 and 2018 of ColdFusion, and I know that there are still developers around that work with older versions – actually, I’m one of those: ColdFusion 11 is what I support (and occasionally develop for) since 2015. I have been using  .car files for installing CF servers, and I had already been looking at what they contained. But I had never seen the ‘seed’ and ‘algorithm’ strings Charlie writes about, but I could have overlooked them. So I went in again today, to verify things.

I can confirm that .car files created in CF11 do NOT contain those strings. But before you start celebrating, I must warn you that this probably means that the situation is even worse than for more recent versions. Because CF11 will write (encrypted) passwords into a .car file, and yes: those files can be used to reconfigure another server, passwords included ! Which probably means that all CF11 runtimes use the same seed and algorithm, rendering  CF11.car files containing passwords even more insecure than later versions

I did not know about all this until yesterday, but I seem to have circumvented the problem: I wrote an application to install datasource definitions on the servers rather than use CAR files. That offers multiple advantages: the code  (and hence the definitions) is under version control, and can only be accessed by authorized users; we have different definitions for different environments; etc. And the.car files I do use have no passwords in them – whew!

But it’s clear that it pays take this issue into account as a ColdFusion developer or administrator, whatever solution you choose (and Charlie has a few propositions).

Read Full Post »

So you’re developing a ColdFusion application and you need to access the output of a Windows program, like ‘netstat.exe‘ to take the example from the Adobe documentation?

The documentation on how to do that is relatively complete, but fails to emphasise an important point. Try this, and you’ll see… nothing, no output:

<cfexecute name="C:/Windows..../netstat.exe" variable="output" />
<cfdump var="#output#" />

The important point is that you really need to specify a non-zero ‘timeout‘ argument if want to capture the output of the Windows tool in a variable. Simple, but yes: this one had me stumped for 90 seconds!

<cfexecute name="C:/Windows..../netstat.exe" variable="output" timeout="1" >
<cfdump var="#output#" />

If you forget that ‘timeout‘ argument the command you issue will execute, but you won’t know its output, since ColdFusion is already further along in its execution. You may have to experiment a bit with the value for the timeout, depending on the specifics of the machine you’re running ColdFusion on and the execution time of the command called (obviously). Not specifying the timeout will launch the command, but it won’t wait for the command to end – which can be useful as well – but not always.

Read Full Post »

I encountered this weird situation last week: while testing ColdFusion code from a previous decade, I would see the output of part of the screen twice. Just like that – I had not changed a thing to the logic of the code, just cleaned up a bit of what I consider to be “bad” formatting in code written by others a long, long time ago (2005 or so).

I spent hours of debugging the code, even invited a few colleagues to help me – and then suddenly it struck me: CFML may look like XML, but it isn’t XML. Some CFML tags do their thing a second time when the tag is explicitly closed. One of those tag is <cfmodule>. I never use it myself – I prefer components and functions. But the code under scrutiny included a <cfmodule template='whatever.cfm >, and to “clean things up” I had added a slash at the end, like this: <cfmodule template='whatever.cfm />. Hence the double execution. So don’t do that, will you? Avoid closing <cfmodule>!

You can imagine my state of mind when I realised my error, don’t you? Yeah… I had seen this problem before, but much too long ago to actively avoid it in practice.

Before lecturing me on the subject: I know, I should be writing cfscript… but I don’t have the luxury to rewrite code that is more than 10 years old. So it will stay as it is.

Also: I consider this to be a bug in Adobe ColdFusion (at least in versions 6, 8 and 11). There’s no logical reason for such behaviour. I don’t know if Lucee or BlueDragon act similarly, but I hope they’re smarter than that!

And for the record: for me, code is “badly” formatted when it is hard to read – by me. I know compilers and computers have no trouble handling things like whole programs on a single line, or lacking coherent indents (unless it’s Python, of course), or unclosed XML tags (elements), to name but a few examples. I want code to easily readable by humans, and certainly by me – especially if I’m responsible for its maintenance…

Read Full Post »

I noticed some interest in my earlier posts about ntlmHTTP, and that surprised me a bit. I wrote about the subject in 2011, and that is a long time ago, in IT terms!

So to clarify things: the ntlmHTTP project is no longer required: Adobe added NTML (aka. “Windows Integrated Authentication”) support to the CFHTTP tag in ColdFusion version 11. I did rework my code from 2011, and indeed: CFHTTP did suffice to call the Microsoft Exchange web services successfully with the credentials of a special technical account.

Although I did not test it I’m pretty sure NTLM is still there in later CF versions ;-)

Read Full Post »

At work I’m busy moving all the ColdFusion applications from Windows 2003 servers with CF8 to new virtualised servers with Windows 2012 running CF11. Configuring Windows and IIS are also much more complicated than ten or more years ago, but we have that under control now. Most of the ColdFusion (and Java) code transfers without a problem, and I spend more of my time deleting scripts and components that are no longer used than modifying code.

Until this week, when I stumbled over a script that shows an inventory of the active Scheduled Tasks on the server, together with the link to their respective output (which we write to a network drive)… To do that, the code gets the data from the file, and then we put all the data in a handcrafted Query object. The names of the tasks and the links displayed fine, but there was something wrong with the start and end times: “1899-12-30” is not a time!

It took me hours to figure out what was wrong, because I was focusing on the date and time formatting functions used to format the data before adding them the query. Why the formatting, you ask? Well, we wanted to sort the data on columns containing start and end times, and in previous versions of CF our solution was to prepare the strings before adding them to the Query – seemed like a good way to make sure that ‘11:00:00 AM‘ and ‘11:00:00 PM‘ turned up in the right place of a sorted column.

So what was wrong with our code? Let me quote the “Query of Queries user guide”:

If you create a query object with the QueryNew function and populate a column with date constants, ColdFusion stores the dates as a string inside the query object until a Query of Queries is applied to the query object. When ColdFusion applies a Query of Queries to the query object, it converts the string representations into date objects.

Our code added strings formatted as “hh:mm” to the Query object, but once we filtered or sorted that Query using QoQ those columns were transformed into datetime objects. ColdFusion 11 then adds that time to the default date used, i.e. “1899-12-30“.

Clearly, that was not the case in earlier versions of ColdFusion – at least not in CF8. There are multiple solutions to solve this problem, once you know what’s going on – so now our overview displays everything as intended.

Read Full Post »

I’m currently trying to automate the creation of datasources in ColdFusion server instances, in order to facilitate a number of migrations our machines and applications have to go through. For the record: this turns out to be reasonably simple, once you get the knack of using the ColdFusion Administrator API classes (if I find the time, I’ll write about that later).

One thing slowed me down: a typical error message without much meaning. This is what I received when recreating (or at least trying to recreate) an Oracle RAC datasource:

java.sql.sqlrecoverableexception: IO Error: NL Exception was generated

I wonder why developers often invent error messages that do not tell us what really went wrong. In this case, it turned out that I forgot to copy a single closing parenthesis at the end of the JDBC connection string. Let’s call that a syntax error, Oracle, and please give a significant message if I mess up! Or is it Adobe’s ColdFusion that is hiding more explicit and clear details about what went wrong?

Read Full Post »

Last weekend, I spotted two old BMW motorcycles on the road in the port of Antwerp (Belgium). I had my camera in my hands, so I managed a few badly-framed photos – you can see them on Flickr.

By chance, I also spotted an advertisement for a similar bike. I don’t pretend to be a specialist on the subject, but I haven’t seen many BMW R50/2’s in this color scheme (not even on Google Images), and I find this combination quite flattering!

A fine-looking oldie, as seen in one
of the last advertisements on Kapaza

When I said I found this “zoekertje” by chance, I meant that I just had a quick look at the Kapaza website, because the site announced just last week that it will be closing down in a few days. I have visited that site, with its thousands of advertisements for second-hand stuff in many categories, while on the prowl for say another bike or a special lens for my camera. Kapaza is (was) one of the few big Belgian websites that used ColdFusion for at least parts of its site, and that made me pay a bit more attention to it also. This is one more website that won’t last half a century and more, unlike the motorcycle shown here!

Read Full Post »

Last week, I did loose a lot of time in what should have been a quick ColdFusion hack. My colleagues and I were just trying to set up a web service-based solution for a simple problem: they had a JavaScript page that needed a bit of data for which I already had the code in ColdFusion. So I created a new directory in an existing application, whipped up the required code in ‘index.cfm‘ to return a bit of JSON and tested the result from my browser… only to get an “Error 500 - Application index.cfm could not be found“.

Weird, heh? The required file was there, so why could CF11 not find it? Adding an ‘Application.cfm‘ did not help, neither did repackaging the code in a CFC. On CF8, on the other hand, everything worked as expected. So what was going on?

It took some time, but I did find the explanation: CF11 reserves the directory name ‘api’ for special treatment, so you can’t use it like any other directory name – and of course that was the name I had chosen! Adam Tuttle described the situation nicely in 2015:

Funny you should mention that the issue is inside an /api folder. I’m trying to track down the same problem, except I’m directly accessing an index.cfm (sort of — onRequest intercepts the request and redirects to CFCs as appropriate — it’s a Taffy API) and I’ve found that renaming the folder from /api to … literally anything else… works fine. It’s almost as if something in CF has special meaning at /api, like the special /rest mapping does.

Indeed, renaming my directory solved the problem – too bad it took me so long to find the cause. On to the next problem!

PS. Adam Tuttle has more to say on the subject, but his post on the subject has disappeared: the URL ‘http://fusiongrokker.com/post/coldfusion-11-sometimes-chokes-on-api‘ no longer points to the relevant text, but is redirected to another blog also belonging to Adam Tuttle. There, unfortunately, the post is NOT available. I won’t call this a case of linkrot, but it’s not good either. Luckily, the Wayback Machine has a copy of the page, including a few comments…

Read Full Post »

I just spent yesterday afternoon debugging a somewhat older ColdFusion+JavaScript application: some of the administration functions were not working. A partial explanation for my time spent on the issues is that the application was developed in the days of Internet Explorer 5. We’re still running IE6 on a substantial number of the several thousand PC’s in use in the company… in combination with an older version of Chrome. So refactoring the JavaScript code (to make it work in both browsers) was part of the ‘fun‘.

In the end, the real cause of the core problem I encountered was to be found in a few SQL statements that I had neglected to check out, wrongly assuming they had been working in the past. The reason they continued to slip under the radar was simple: the original developer had managed to “hide” that SQL code in a <cftry> statement with an empty <cfcatch>. So there was nothing in the logs, of course.

From the OWASP website

From the OWASP website

Finding the root cause reinforced a lesson I had learned a long time ago: only catch exceptions if you’re going to do something serious and meaningful with them. No, swallowing them whole isn’t meaningful. OWASP summarizes: “Swallowing exceptions is considered bad practice, because the ignored exception may lead the application to an unexpected failure, at a point in the code that bears no apparent relation to the source of the problem“.

This story teaches a second lesson as well. In the future, I will scan code for exception swallowing situations before I start debugging – that could have saved me a lot of time today!

Read Full Post »

Ray Camden wrote about the CF log file enhancements in CF9 a few years ago: “CF901: Logging enhancements“; among other things, he explained the possibility of disabling and enabling logging into particular log files. This is supposed to work in exactly the same manner in CF11. Since then this theme wasn’t discussed much. That’s too bad, because I have a strange problem in CF11, and there are no clues to find on the internet.

Here’s my situation:  I accidentally disabled a custom log file for a Scheduled task, and now I can’t find a way to re-enable this log. I tried hijacking the “disable” link by replacing it with “enable”, but that did not work – not even after a restart of ColdFusion.

I needed some time to figure out that I could go on with my work again by renaming the .cfm file as well as the log file, but that does not really count as a solution. So all advice to get this specific log back to work will be appreciated!

Read Full Post »

Wednesday evening I attended the first meeting of the CFML UserGroup Belgium, which met at the Brussels Adobe offices. The ColdFusion User Group mentioned a few times on this blog in the past clearly is no more, but Guust is taking over the initiative (not the site, unfortunately).

Elisha Dvorak (Solution Consultant, Adobe) gave us a brief overview of what’s new in ColdFusion 2016. She also explained what the API Manager does and how it fits in the CF2016 solution. In short: the API Manager is a separate product, that comes free with the Enterprise Edition of CF2016. It’s not tied in one way or another to ColdFusion, but is offered since Adobe notices that CF is used to develop and run web services (SOAP as well as REST), and the API Manager helps control access to those services.


As an aside: Adobe is still looking for speakers at the CF SUMMIT in October 2016 in Las Vegas – they will pay your hotel and entrance fee to the conference. Just contact Elisha for details and suggestions!

Guust Nieuwenhuis, organiser of the meeting, then presented a brief overview of Bootstrap 4. After him came Damien Bruyndonckx, creator of the video courses on learning ColdFusion, that are currently available for free on the Adobe website.

Last but not least came Peter De Ranter, managing director of a software development company called Prosteps. He demoed Tilroy, an online POS that handles more than just sales, and which includes a webshop – that’s why Peter talked about “omnichannel“. What interested most attendees, of course, were the underlying technologies. As it turned out, Tilroy is a combination of a frontend running on a CFML engine, a Node.js-based dispatcher/controller/threading engine, and many dozens of Java microservices. The main database is stored in MongoDB, and everything runs on the Amazon cloud infrastructure. An impressive architecture, that probably wasn’t all too easy to set up, since the main focus of the product (apart from its features) is “performance”. And because of that need for speed, Tilroy uses just the Coldbox framework in combination with Bootstrap in the frontend – other frameworks were deemed too slow. Similarly, MongoDB turns out to be a lot faster than SQL Server when searching through hundreds of millions of “rows”.

All in all, I was glad to have assisted at this session – I learned a lot. Let’s see what comes up next time!

Read Full Post »

Somewhere around the start of 2008, I added the ‘varscoper‘ tool to my toolkit at work. If you don’t know this tool: ‘varscoper‘ will read your CFML code and indicate which undeclared local variables are left in your components and functions, waiting to inflict unexpected bugs and bad performance on your application. If you want to know why undeclared local variables can be so bad, start by reading Mike Schierberls thoughts on this subject – he’s the original author of the tool.

Thanks to a tip from Christopher Wigginton on cfml.slack.com, I was able to update my 2008 ‘varscoper‘ copy to version 1.4 of 2015. You’ll find the latest version on GitHub. This version still runs on CF8, but is already equipped to handle higher versions on Adobe CF as well – well, up to CF11 (and I’m not sure CF 2016 will be adding much new stuff that impacts ‘varscoper‘).

While integrating and testing the new version I stumbled upon a few small bugs in the file display code. First of all, ‘fileDisplay.cfm‘ never shows the two first characters of the first line of a file; secondly, it never shows the last line of the file either.

As a quick fix, I solved these problems with some extra “padding” to the file contents, like so:

        <cffile action="read" file="#URL.fileName#" variable="fileContent" />
        <cfset fileContent = "  " & fileContent & Chr( 13 ) & Chr( 10 ) />

But in fact, a good solution requires a bit of a change to the basic algorithm used in this code. You see, this code will only work correctly if and when used on files that use Windows-style end-of-line markers (i.e. “carriage return” CR + “line feed” LF). The number two in the term ‘lastLineStart + 2‘ of the line that outputs the code refers to the combined length of CR and LF, and thus disregards the optional character of the CR in the earlier ‘REFind‘ call. So there is still room for improvement (unless, like mine, your ColdFusion world is limited to Windows servers)…

Read Full Post »

Currently at work, my main project consist of the migration of all our ColdFusion (intranet) applications from CF9 to CF11. And that includes a migration from Windows 2003 to Windows 2012.

I’ll spare you the details of how I struggled to get Adobe CF11 up and running: let’s just say that the server I was assigned to was not a pristine, default Windows 2012 – and that turned out to be a major hurdle. But I managed to get CF up and running, with a little help from our server administrators. So now it’s a matter of testing all the apps in a new environment, all the while debugging the effects of the small and large differences between the old and new server configurations.

What I want to note here is, above all things, a few small actions on the server that make my life a lot easier. By the way, I’m assuming that you only have a single Apache Connector for all your CF applications. All paths given are relative to your ColdFusion root folder.

First of all, when installing ColdFusion hotfixes from Adobe, it is always a good idea to check whether or not the Apache Connector requires upgrading or reconfiguration. For a maximum of information on this subject, check out Charlie Arehart’s “CF911: Why/when you MUST update the web server connector for ColdFusion 10/11 and may have missed it”. Since I’m working on Windows, I have to remember to use “config/wsconfig.exe” (but that means two CF service restarts) or “cfusion/connectors/bin/Upgrade_all_connectors.bat” after stopping IIS and CF. It is above all essential to run either command as Administrator, or it won’t work!

Another good thing to know is that CF11 Hotfix 7 includes a modification of the connector to control whether or not IIS should replace error messages with its own (sometimes irrelevant) error pages. The IIS pages are the default, but they are easily replaced by changing the value of key “iis_skip_custom_errors_enable” to “true” in the file “config\wsconfig\1\isapi_redirect.properties”. Easy and useful, especially when you’re testing in different browsers on multiple client platforms.

Now all that’s missing in this context, is a tool to pick up the hotfix files from Adobe and store them in a simple HTTP update site where our intranet servers (without Internet connection, of course) can pick them up. I know – or at least, I assume – that I’m not the first one to deal with this situation, but I haven’t (yet) found such a script or application…

Read Full Post »

I have been using CFEclipse for many years. Is it the most complete and the best CFML editor in the world? No, probably not. But at work I am obliged to use Eclipse, and I prefer a somewhat lesser but sufficient solution in a single tool over switching from one tool to another. That’s why CFEclipse is on my list of favourite Eclipse plugins.
Today I tried updating my ageing plugins with the latest, only to find out that there is no way to install the latest “stable” version of CFEclipse through the standard Eclipse mechanism. The problem is known in the GitHub CFEclipse repository in 2014: Eclipse reports an “unsatisfied dependency on bundle org.eclipse.search [3.9.0,4.0.0)“. Unfortunately, until today no real action has been taken to redress the situation. At first sight it looks like a silly typo (did you notice the closing parenthesis that should be a square bracket?)…

I have no experience with the development of Eclipse plugins, and I don’t have the time to study the subject – but how hard can it be to correct this bug? In an active project, this would have been solved a year ago. Is CFEclipse really dying? Is there a better way to develop in CFML using Eclipse? Or is this just an example of a small open-source project that’s left to die when its creator leaves?

Read Full Post »

Last night, I attended the CFUG Belgium meeting, entitled the “CF11 Launch Party” (CFUG Belgium is the belgian ColdFusion User Group). We had two speakers. Rakshith Naresh is the ColdFusion product manager at Adobe; he spoke to us from India about the new features of ColdFusion 11. Technically, the situation wasn’t perfect, but all in all it was good to see that Adobe, or at least Rakshith, cares about CF developers in a small country like Belgium, and his overview was worth listening to.

The second speaker of the meeting was Alwyn Wymeersch, who explained the basics of AngularJS. I liked his approach of the presentation, with lots of demoes, and his courage, trying to do it all with live coding. Good job!

Click the logo to go to the CFUG website.

Click the logo
to go to the CFUG website.
Be warned, though:
this site isn’t up to date!

I look forward to testing our current apps on the latest version of CF, even though I won’t be using many of the recent novelties. I would love to try and develop a mobile app with CF11, but our mobile app users are colleagues on the move, using iPads and Galaxy Tabs to access company resources. Their mobile devices are under control of a ‘Mobile Device Management‘ platform like MobileIron, AirWatch or XenMobile (sorry, I forgot that Gartner now calls this ‘Enterprise Mobility Management‘).

So I hope that Adobe will pay attention to the developers of large enterprises, whose mobile apps must also be able to run in an MDM container, with all that entails in terms of limitations on how to access certain functionalities of the devices. PhoneGap is supposed to be compatible with MobileIron AppConnect, but has it been tested when an app is built with CF Builder? And what about the other MDM’s? Are there gotchas in this scenario? How about that on-device debugging? Etc. There’s still work to be done, that’s for sure! What will CF12 bring, eh?

PS. To all those who registered for the meeting but weren’t there I say: it pays to attend! There were nice prizes to win in the closing raffle, and a third of the attendees went home with a nice software package (well, at least I hope I get my package delivered soon ;-)

Read Full Post »

Older Posts »