The CFSCHEDULE Tag In CF11 Is Broken

A long time ago I created simple ColdFusion page to display the specifications of all the ScheduledTasks defined on the server. I can’t remember if that was while we running CF6 or CF8, but the principle was to read the ‘neocron.xml’ fil, extract all required info from it, and turn those data into a query object. Simple, and it worked well. Better yet: it continued to work when we moved  all code to ColdFusion 11.

By accident I found out that the <cfschedule> tag had been extended with a new action called ‘list’, returning a Query. Clearly, that would be a much simpler solution that what we did in the past. Hence I set out to replace the existing code, to get the content of the file and add it to a Query, with a single line <cfschedule action=”list” result=”qTasks” />. So far, so good.

But… There are a few issues.

The first issue is that there is a column called ‘group’. If you try to select that column in a Query of Queries, ColdFusion 11 spits out an error message:

There are ways to rename columns in a CF query object, even in Adobe’s ColdFusion. This post explain two of them: https://blog.simplicityweb.co.uk/125/renaming-cfml-query-columns. Going from Query to JSON, then adapting column names, and then going back from JSON to Query is certainly possible. But that is not really an improvement on my original solution.

I simplified my display of the Query a bit, ignoring the category grouping I had in my older code. Then I hit another issue.

When I tried to display the date and time a ScheduledTask had last executed, I was sorry to see that not all rows had a value – even though all ScheduledTasks had effectively been run at least once, and did indeed display correctly in the ColdFusion Administrator console as well as in my old solution (meaning the dates are correctly stored in the ‘neocron.xml’ file). Somehow the <cfschedule> tag does not deliver the ‘lastfire’/’last_fire’ values (yes, there are two columns with almost the same name and identical data in that query result) – perhaps because some of the ScheduledTasks have an ‘Expired’ status? Still, why not pass them on and let the developer decide when and how to deal with them? And why does the ColdFusion Administrator console display them correctly (because it does not use <cfschedule>, of course) ?

Last but not least, although the query results are generated by ColdFusion, the dates in this particular query are not accepted by the ‘LSDateFormat()’ function, which complained with messages like this one:

{ts '2021-11-04 15:20:00'} is an invalid date format.

I can only hope those issues with <cfschedule action=”list”> are solved in one of the later versions of ColdFusion. Or do we have to migrate to Lucee in order to find less bugs?

Advertisement

Read Full Post »

Nimble ColdFusion: It Runs On A PiZero

The Raspberry Pi is an old topic on this blog, going back to 2012. I have been wondering whether it would be possible to run ColdFusion (or rather: CFML) on it. That would make it a neat system to try out all kinds of things that I cannot do at work.

I should have known that I’m not the only one asking that question – others have provided answers.

Brad Wood has a PiBox up and running since 2015 or so. It runs on a Raspberry Pi 2 over WIFi, if I read his blog correctly. Too bad he stopped blogging on it in 2015.

And now there is a second Pi doing something similar, although (literally) on a smaller scale: CB on the Pi is running on a PiZero with just 512 MB of RAM. As mentioned on Slack: it’s a “$20 webserver, size of a large coin“!

Nice work, guys, even if it’s just a demonstration of what is possible rather than a small but actually productive application of both the Pi and CFML !

Read Full Post »

A CFLint Anomaly… Or A Bug?

I’m still developing software in ColdFusion, and yes: in order to keep the code base consistent I still use the CFML markup style. I also try to apply a maximum of helper tools before committing the code to versioning. Now that I use VSCodium as my IDE (it’s more than an editor!) I’m happy to include CFLint in that setup.

Here’s a tiny component to demonstrate an inconsistency in CFLint.

In this form, CFLint will complain with this message “Local variable someoutput is not used in function testLocalVariable. Consider removing it ( UNUSED_LOCAL_VARIABLE )”. OK, let’s do that.

But when you delete the line that defines the local variable, you’ll get another error message, saying “Variable someoutput is not declared with a var statement ( MISSING_VAR )”.

So in the second situation it will detect the fact that ‘someoutput’ is a local variable, while that’s not the case in the first. Strange, yes. A bug ? Possibly…

I have checked the CFLint issue list, and I did find a few tickets that signaled that CFLint is not detecting the use of local variables with <cfdocument> and QueryByQuery. But none of those mention the fact that in some checks the variable is detected, and in others not. So I added my observations to the issue list of the project: Inconsistent local variable detection? #713.

Read Full Post »

Little Brother CFLint Has A Few Strange Default Rules (At Least In My View)

I like CFLint for its ability to assist me in writing better code. But some of the rules implemented in the “standard” version strike me as arbitrary (“standard” meaning the version without any additions). If there is some kind of master rulebook for writing CFML or CFScript, then there is no reference to that in the CFLint source code, nor on its website.

I find that CFLint conflicts with some of the code style rules that I have been applying for over a decade. Code styles are always somewhat arbitrary, of course. They depend on the experience and knowledge of its author(s), on the frameworks and code libraries used, on the styles used in other programming languages at the same company, on the quality assurance rules applied, and more.

That is why I struggle with some of the rules currently fixed in CFLint. Here’s an example. When I write scope names like “APPLICATION” and “ARGUMENTS” the “VariableNameChecker” rule in CFLint complains, telling me that scope names should never be written in capital letters. My reasoning for doing that nevertheless is simple: the names of these scopes have been reserved and fixed by Adobe, so you cannot use them for anything else. So going “allcaps” on them neatly sets them apart from variable and function names. With the current situation I have to disable the rule completely.

I would like to see this checker adapted so that I can specify whether I want scope names “allcaps” or “nocaps” (or even “camelCase” of “PascalCase”) in the CFLint configuration file. That way I could easily check whether I applied my own rule correctly, by adapting the config as needed, regardless of the default set by the CFLint developers. The same approach could be worthwhile for variable names, component names, and function names, of course.

There are probably a few more situations like that in CFLint. If I find the time I may have a look at the Java code, to see how this might be implemented (don’t hold your breath, though).

 

 

Read Full Post »

Little Brother Is Watching My CFML Code

I am getting used to working with VSCodium for my development work (VSCodium is essentially the same tool as Visual Studio Code). I chose VSCodium because it is a multiplatform tool, it is very flexible and extendable, and thus it has good support for many programming languages. What’s not to like?

One of the VSCodium extensions I’m trying out is CFLint. My ColdFusion development career is still stuck at CF11, and the tools I use to help me validate my code are indeed… a bit dated: I use a slightly adapted version of ‘VarScoper‘ (see my earlier comments on this) and the ‘CFML Complexity Metric Tool‘ (see https://github.com/NathanStrutz/CFML-Complexity-Metric-Tool), as well as an extensive series of unit test running in ‘cfcUnit‘ (sorry, its homepage no longer exists). Say what you want: any helper tool, even if it’s dated, is better than no tool.

CFLint is much more recent, and it handles CFScript as well as my trusty tag-based code. It’s caught a number of inconsistencies in my code, like unused variables, which is very good – less code equals less opportunities for errors. Using CFLint also removes an obstacle to my moving to CFScript, so yes I am progressing – even if it’s just at a slow pace ;-)

But I have a few niggles with CFLint; I guess I will have to create a few tickets in the project site on Github, and/or come up with a solution that’s acceptable to all other users of the tool as well. CFLint assumes that everyone codes in the same manner, according to the same rules. That is a bit assumption, and it clashes with some of the rules that I applied to my code. Not all of the situations are easily reconfigured with the options that CFLint (currently) allows. Here are a few of things I found… disturbing, at least for my use case.

• I can agree with the rule that .cfm/.cfml file names should not start with a capital letter. But for old-school ColdFusion developers like me there is no way to escape Adobe: ‘Application.cfm‘ absolutely has to start with a capital!
• Worse: the file starts with three comment lines, and CFLint seems to use that fact as a reason to repeat the message “The file Application.cfm should not start with a capital letter” three times…
• In general, I agree with the rule that variable names should be written in ‘camelCase‘ (or ‘PascalCase‘). But it would be nice to have the opportunity to list a few exceptions to that rule.
• So far, I haven’t seen a check for double variable declarations – my bad, or is it really missing?

All in all, after a bit of tweaking I now have a fairly usable CFLint setting in my ‘.cflintrc‘ file – it’s good to have a tool looking over my shoulder to catch inconsistencies, mistakes, typos and more.

Read Full Post »

What About CVE-2021-21087, Adobe ?

Strange how things go: the “critical security issue” Adobe reported on March 22, 2021 seems to be less critical than originally thought – the severity of the issue has been lowered to “moderate” (whatever that means).

The offending line…? (Source: Dave’s Twitter feed)

The issue, of course, is that we have no way to verify what is going on: Adobe remains mum on the exact nature of the issue, refuses to engage with the ColdFusion community on the subject (cf. the CFML workspace on Slack), and as developers we can only ask the question: is this the support we’re supposed to pay for?

Read Full Post »

How Critical Is CVE-2021-21087 For Older ColdFusion Versions?

Adobe has reported a “critical” security issue with the latest versions of ColdFusion, although the page titled “Security updates available for Adobe ColdFusion | APSB21-16” currently does not give many details.

At work we’re still running ColdFusion 11, and that version is not mentioned in the report (probably because it is already out of support). Nevertheless I would to know whether CF11 is also concerned by this issue – if only to tell our IT security office that we have no problem with vulnerability CVE-2021-21087 in our configuration ;-)

The only information I have found so far is unofficial: if I understand things correctly, Dave Walker is telling us that the error is an unchecked input in the CFAJAX package:

The offending line…? (Source: Dave’s Twitter feed)

I would love to see confirmation of that, and I wonder: do earlier versions of ColdFusion already contain the same error?

Read Full Post »

A Security Issue In ColdFusion, And How To Handle It

Charlie Arehart is a well-known ColdFusion specialist. Two days ago, he wrote a blog post explaining why one should be careful about securing ColdFusion Archive (CAR) files. The Adobe ColdFusion team isn’t very explicit about the issue, telling us in small print that we should delete those files after using them – but does not explain why we should do so. So Charlie explains it in great detail – if you work with Adobe ColdFusion, you should check out his blog.

Now Charlie only mentions versions 2016 and 2018 of ColdFusion, and I know that there are still developers around that work with older versions – actually, I’m one of those: ColdFusion 11 is what I support (and occasionally develop for) since 2015. I have been using  .car files for installing CF servers, and I had already been looking at what they contained. But I had never seen the ‘seed’ and ‘algorithm’ strings Charlie writes about, but I could have overlooked them. So I went in again today, to verify things.

I can confirm that .car files created in CF11 do NOT contain those strings. But before you start celebrating, I must warn you that this probably means that the situation is even worse than for more recent versions. Because CF11 will write (encrypted) passwords into a .car file, and yes: those files can be used to reconfigure another server, passwords included ! Which probably means that all CF11 runtimes use the same seed and algorithm, rendering  CF11.car files containing passwords even more insecure than later versions…

I did not know about all this until yesterday, but I seem to have circumvented the problem: I wrote an application to install datasource definitions on the servers rather than use CAR files. That offers multiple advantages: the code  (and hence the definitions) is under version control, and can only be accessed by authorized users; we have different definitions for different environments; etc. And the.car files I do use have no passwords in them – whew!

But it’s clear that it pays take this issue into account as a ColdFusion developer or administrator, whatever solution you choose (and Charlie has a few propositions).

Read Full Post »

Did You Wait For The Output Of <cfexecute> in ColdFusion?

So you’re developing a ColdFusion application and you need to access the output of a Windows program, like ‘netstat.exe‘ to take the example from the Adobe documentation?

The documentation on how to do that is relatively complete, but fails to emphasise an important point. Try this, and you’ll see… nothing, no output:

<cfexecute name="C:/Windows..../netstat.exe" variable="output" />
<cfdump var="#output#" />

The important point is that you really need to specify a non-zero ‘timeout‘ argument if want to capture the output of the Windows tool in a variable. Simple, but yes: this one had me stumped for 90 seconds!

<cfexecute name="C:/Windows..../netstat.exe" variable="output" timeout="1" >
<cfdump var="#output#" />

If you forget that ‘timeout‘ argument the command you issue will execute, but you won’t know its output, since ColdFusion is already further along in its execution. You may have to experiment a bit with the value for the timeout, depending on the specifics of the machine you’re running ColdFusion on and the execution time of the command called (obviously). Not specifying the timeout will launch the command, but it won’t wait for the command to end – which can be useful as well – but not always.

Read Full Post »

I Knew It Happened Before…

I encountered this weird situation last week: while testing ColdFusion code from a previous decade, I would see the output of part of the screen twice. Just like that – I had not changed a thing to the logic of the code, just cleaned up a bit of what I consider to be “bad” formatting in code written by others a long, long time ago (2005 or so).

I spent hours of debugging the code, even invited a few colleagues to help me – and then suddenly it struck me: CFML may look like XML, but it isn’t XML. Some CFML tags do their thing a second time when the tag is explicitly closed. One of those tag is <cfmodule>. I never use it myself – I prefer components and functions. But the code under scrutiny included a <cfmodule template='whatever.cfm >, and to “clean things up” I had added a slash at the end, like this: <cfmodule template='whatever.cfm />. Hence the double execution. So don’t do that, will you? Avoid closing <cfmodule>!

You can imagine my state of mind when I realised my error, don’t you? Yeah… I had seen this problem before, but much too long ago to actively avoid it in practice.

Before lecturing me on the subject: I know, I should be writing cfscript… but I don’t have the luxury to rewrite code that is more than 10 years old. So it will stay as it is.

Also: I consider this to be a bug in Adobe ColdFusion (at least in versions 6, 8 and 11). There’s no logical reason for such behaviour. I don’t know if Lucee or BlueDragon act similarly, but I hope they’re smarter than that!

And for the record: for me, code is “badly” formatted when it is hard to read – by me. I know compilers and computers have no trouble handling things like whole programs on a single line, or lacking coherent indents (unless it’s Python, of course), or unclosed XML tags (elements), to name but a few examples. I want code to easily readable by humans, and certainly by me – especially if I’m responsible for its maintenance…

Read Full Post »

ntlmHTTP (Update 5) – This Project No Longer Necessary

I noticed some interest in my earlier posts about ntlmHTTP, and that surprised me a bit. I wrote about the subject in 2011, and that is a long time ago, in IT terms!

So to clarify things: the ntlmHTTP project is no longer required: Adobe added NTML (aka. “Windows Integrated Authentication”) support to the CFHTTP tag in ColdFusion version 11. I did rework my code from 2011, and indeed: CFHTTP did suffice to call the Microsoft Exchange web services successfully with the credentials of a special technical account.

Although I did not test it I’m pretty sure NTLM is still there in later CF versions ;-)

Read Full Post »

Unexpected Timestamp Effects In ColdFusion’s Query Of Queries

At work I’m busy moving all the ColdFusion applications from Windows 2003 servers with CF8 to new virtualised servers with Windows 2012 running CF11. Configuring Windows and IIS are also much more complicated than ten or more years ago, but we have that under control now. Most of the ColdFusion (and Java) code transfers without a problem, and I spend more of my time deleting scripts and components that are no longer used than modifying code.

Until this week, when I stumbled over a script that shows an inventory of the active Scheduled Tasks on the server, together with the link to their respective output (which we write to a network drive)… To do that, the code gets the data from the file, and then we put all the data in a handcrafted Query object. The names of the tasks and the links displayed fine, but there was something wrong with the start and end times: “1899-12-30” is not a time!

It took me hours to figure out what was wrong, because I was focusing on the date and time formatting functions used to format the data before adding them the query. Why the formatting, you ask? Well, we wanted to sort the data on columns containing start and end times, and in previous versions of CF our solution was to prepare the strings before adding them to the Query – seemed like a good way to make sure that ‘11:00:00 AM‘ and ‘11:00:00 PM‘ turned up in the right place of a sorted column.

So what was wrong with our code? Let me quote the “Query of Queries user guide”:

If you create a query object with the QueryNew function and populate a column with date constants, ColdFusion stores the dates as a string inside the query object until a Query of Queries is applied to the query object. When ColdFusion applies a Query of Queries to the query object, it converts the string representations into date objects.

Our code added strings formatted as “hh:mm” to the Query object, but once we filtered or sorted that Query using QoQ those columns were transformed into datetime objects. ColdFusion 11 then adds that time to the default date used, i.e. “1899-12-30“.

Clearly, that was not the case in earlier versions of ColdFusion – at least not in CF8. There are multiple solutions to solve this problem, once you know what’s going on – so now our overview displays everything as intended.

Read Full Post »

Dear Developer: When Reporting Exceptions, Please Be Clear

I’m currently trying to automate the creation of datasources in ColdFusion server instances, in order to facilitate a number of migrations our machines and applications have to go through. For the record: this turns out to be reasonably simple, once you get the knack of using the ColdFusion Administrator API classes (if I find the time, I’ll write about that later).

One thing slowed me down: a typical error message without much meaning. This is what I received when recreating (or at least trying to recreate) an Oracle RAC datasource:

java.sql.sqlrecoverableexception: IO Error: NL Exception was generated

I wonder why developers often invent error messages that do not tell us what really went wrong. In this case, it turned out that I forgot to copy a single closing parenthesis at the end of the JDBC connection string. Let’s call that a syntax error, Oracle, and please give a significant message if I mess up! Or is it Adobe’s ColdFusion that is hiding more explicit and clear details about what went wrong?

Read Full Post »

Staying Power For Old Beemers

Last weekend, I spotted two old BMW motorcycles on the road in the port of Antwerp (Belgium). I had my camera in my hands, so I managed a few badly-framed photos – you can see them on Flickr.

By chance, I also spotted an advertisement for a similar bike. I don’t pretend to be a specialist on the subject, but I haven’t seen many BMW R50/2’s in this color scheme (not even on Google Images), and I find this combination quite flattering!

A fine-looking oldie, as seen in one
of the last advertisements on Kapaza

When I said I found this “zoekertje” by chance, I meant that I just had a quick look at the Kapaza website, because the site announced just last week that it will be closing down in a few days. I have visited that site, with its thousands of advertisements for second-hand stuff in many categories, while on the prowl for say another bike or a special lens for my camera. Kapaza is (was) one of the few big Belgian websites that used ColdFusion for at least parts of its site, and that made me pay a bit more attention to it also. This is one more website that won’t last half a century and more, unlike the motorcycle shown here!

Read Full Post »

Don’t Use Directory Name ‘/api’ For Your Own Uses In ColdFusion 11

Last week, I did loose a lot of time in what should have been a quick ColdFusion hack. My colleagues and I were just trying to set up a web service-based solution for a simple problem: they had a JavaScript page that needed a bit of data for which I already had the code in ColdFusion. So I created a new directory in an existing application, whipped up the required code in ‘index.cfm‘ to return a bit of JSON and tested the result from my browser… only to get an “Error 500 - Application index.cfm could not be found“.

Weird, heh? The required file was there, so why could CF11 not find it? Adding an ‘Application.cfm‘ did not help, neither did repackaging the code in a CFC. On CF8, on the other hand, everything worked as expected. So what was going on?

It took some time, but I did find the explanation: CF11 reserves the directory name ‘api’ for special treatment, so you can’t use it like any other directory name – and of course that was the name I had chosen! Adam Tuttle described the situation nicely in 2015:

Funny you should mention that the issue is inside an /api folder. I’m trying to track down the same problem, except I’m directly accessing an index.cfm (sort of — onRequest intercepts the request and redirects to CFCs as appropriate — it’s a Taffy API) and I’ve found that renaming the folder from /api to … literally anything else… works fine. It’s almost as if something in CF has special meaning at /api, like the special /rest mapping does.

Indeed, renaming my directory solved the problem – too bad it took me so long to find the cause. On to the next problem!

PS. Adam Tuttle has more to say on the subject, but his post on the subject has disappeared: the URL ‘http://fusiongrokker.com/post/coldfusion-11-sometimes-chokes-on-api‘ no longer points to the relevant text, but is redirected to another blog also belonging to Adam Tuttle. There, unfortunately, the post is NOT available. I won’t call this a case of linkrot, but it’s not good either. Luckily, the Wayback Machine has a copy of the page, including a few comments…

Read Full Post »