ColdFusion 11: allowedextforinclude functionality has changed. But the docs haven't been

G'day:
I am reposting this from my blog ("ColdFusion 11: allowedextforinclude functionality has changed. But the docs haven't been") at the suggestion of Adobe support:
@dacCfml@ColdFusionCan you post your queries athttp://t.co/8UF4uCajTCfor all cfclient and mobile queries.— Anit Kumar Panda (@anitkumar85)April 29, 2014
This particular question is not regarding <cfclient>, hence posting it on the regular forum, not on the mobile-specific one as Anit suggested. I have edited this in places to remove language that will be deemed inappropriate by the censors here. Changes I have made are in [square brackets]. The forums software here has broken some of the styling, but so be it.
G'day:
Remember this one: "ColdFusion 11: preventing files from being included? [WTH], Adobe?". I can confirm this verymoderatelyslightly contentious feature has been changed in ColdFusion 11, but the docs have not been updated to reflect the change.
The issue is summarised thus (from the article linked-to above):
[...]out of the box ColdFusion 11 will only allow the inclusion of CFML and HTML files. Why? They cite "for security reasons". Here's a quote (posted in the bugtracker, originally from the pre-release forums):
"Vamseekrishna Manneboina: Yes, this was done as part of a security measure. You can now only include CFM/CFML files by default. You can specify additional extensions via a property called allowedextforinclude in neo-runtime.xml. By default, HTM and HTML file extensions are already added to this list/property, thereby allowing for inclusion of HTM and HTML files too by default."
OK, I disagree there's merit in this, some others agree, others disagree. But... so be it. I actually thought - if I was in a charitable mood - that the people that were "for" this change made a reasonable case for its inclusion, so - whilst not agreeing with them - I was content to just shrug and go "yeah, oh well".
Now this feature is still in the docs: "New in ColdFusion 11 - Restrictions", but this is not the way it now works. Initially I thought it had been removed completely (and I am now in the midst of retooling this article from saying that... as I only worked out what was going on 2/3rds of the way through writing it).
I did a secure install the other day, and one of the first things I tested was this:
<!---test.cfm---> <cfset message = "before"> <cfoutput> #message#<br> <cfinclude template="code.inc"> <cfset message = "after"> #message#<br> </cfoutput>
<!--- code.inc ---> <cfset message="within"> <cfoutput> #message#<br> </cfoutput>
And this all runs fine, as one would expect:
before
within
after
Next I checked neo-runtime.xml to see if the settings had been augmented to switch this off by default: but I'm buggered if I can see any reference to it anywhere.
So I then checked ColdFusion Administrator to see if there was any hint of it there, as this was one of the things Adobe said they were going to do in their solution to this. And there it is:
So by default now, anything is allowed. I figured I must have missed the setting in neo-runtime.xml, so changed the setting to "FOOBAR" so I could easily spot it, and there it is down @ /wddxPacket/data/array/*[16]/var[@name="compileextforinclude"] in neo-runtime.xml:
<var name="compileextforinclude">    <string>FOOBAR</string> </var>
And - having changed it back to something sensible: CFM, then the feature now "works":
before
#message#
after
However this is probably a worse security hole than the one they were trying to fix! It looks OK when looking at the render in the browser, but look at the actual raw mark-up:
before<br> <cfset message="within"> <cfoutput> #message#<br> </cfoutput> after<br>
We have unparsed CFML source code sent to the browser. This is awful. What if someone switches this on, and doesn't spot one of their old includes which has less-than-trivial CFML in it? It's now publicly accessible. Adobe have created a feature which has the possibility to leak source code to the outside world. How is that a security feature?
Also interesting is that with the super-secure profile installed, this is still off by default? I would have thought it'd be on in this case?
I still don't think this feature has been implemented properly, and it all still points even more to the fact the Adobe ColdFusion bods don't really know what they're doing.
Anyway, I'll nudge Adobe to at least get the docs sorted out.
Time for work (3min ago)...
Adam

Hi Adam,
Regarding "What if someone switches this on, and doesn't spot one of their old includes which has less-than-trivial CFML in it?", yeah I agree that'd be a problem.  Hmm, maybe both this.allowedextforinclude *and* this.compileextforinclude should've been supported (instead of replacing the former w/ the latter as was done)?  Example:
this.compileextforinclude="cfm,cfml,inc";
this.allowedextforinclude="cfm,cfml,inc,txt";
That way an exception could be thrown if cf|included file's extension wasn't in the this.allowedextforinclude list.
Perhaps the above could be shortened to:
this.compileextforinclude="cfm,cfml,inc";
this.allowedextforinclude="txt";//implicitly includes * from this.compileextforinclude (since -compile- implies -allowed-)
Dunno if that'd be confusing.
Anyhow, just some thoughts..
Thanks!,
-Aaron

Similar Messages

  • My iPhoto hasn't upgraded at all, just the icon has changed, but the all graphic hasn't changed, whats the problem ?

    My iPhoto hasn't upgraded at all, just the icon has changed, but the all graphic hasn't changed, whats the problem ?

    I'm having the same problem...it says that it upgraded (it says iPhoto 9.5 when I go into 'About iPhoto') and the new features seem to be there (when I click on share, I have the new option of ordering photo's like it shows in the pictures on the site, ordering a photo album, etc), but the main user interface is still the old one. Instead of having the new buttons on the bottom for Events, Faces, etc, I still have all of those on the old toolbar on the lefthand side...so confused haha.

  • Incoming mail server has changed, but greyed out in Mail, can't be corrected

    The incoming mail server for my website's email account has changed, but the incoming server box is greyed out and doesn't allow me to change it to the correct one.  I do not want to delete the account and start again because all mail and contacts associated with the account will be lost.  So far all the suggestions regarding greyed out incoming server boxes have to do with iCloud but while i use iCloud, I don't use it for mail or have an @iCloud email address.  They also involve starting from scratch with Mail, which would be a huge problem for me trying to save all my emails and reconstruct my mailboxes.
    What gives with this issue? a lot of people seemed to have it, though I saw no responses later than 2012.  Unlike other people, I can still get my mail, but the server certificate always comes up invalid.  I can tell Mail to trust it, but This greyed out thing is certainly a bug or unintended consequence.  I want to be able to change that field.

    Sorry, Guess I solved my own problem anyway.  Perhaps this will help others.  I unchecked "automatically detects and maintain account settings", closed and saved the mail preferences window ( I had also updated my outgoing server info which was not greyed out )  I closed Mail and when I reopened it, the incoming server was no longer greyed out and I could change it which I did.  I may recheck the auto detect box once I have ensured that the port settings are all correct.

  • I created a slide show in imovie for my daughters 21st with voice overs from friends and family which was all working fine but now the voice recordings are not playing at all.  Obviously some setting has changed but I can't find which one.

    I created a slide show in imovie for my daughters 21st with voice overs from friends and family which was all working fine but now the voice recordings are not playing at all.  Obviously some setting has changed but I can't find which one.

    I created a slide show in imovie for my daughters 21st with voice overs from friends and family which was all working fine but now the voice recordings are not playing at all.  Obviously some setting has changed but I can't find which one.

  • My e-mail has changed, but I purchashed some songs in iTunes using my old e-mail address as my account name... so when I try to play the sonngs I bought and paid for - it keeps asking me to authorize my PC first, but I don't remember the password!

    My e-mail has changed, but I purchashed some songs in iTunes using my old e-mail address as my account name... so when I try to play the sonngs I bought and paid for - it keeps asking me to authorize my PC first, but I don't remember the password! And since the old e-mail address is no longer active, I can't even chenge the password- becasue it's sends the link to do so via e-mail!  Even when I use the "ask personal questions" option to verify and it asks me for my date of birth, I put it in and it still won't acccept.

    Hello there, loupar.
    The following Knowledge Base article offers up just how to change your Apple ID for the App Store on your iOS device:
    iOS: Sign in with a different Apple ID in the iTunes Store, App Store, and iBooks Store
    http://support.apple.com/kb/ht1311
    Thanks for reaching out to Apple Support Communities.
    Cheers,
    Pedro.

  • The credit card info on the account has changed but for some reason there is no option for me to make the changes.  In addition, cloud has stopped working and all other programs that need to be updated cannot be.

    the credit card info on the account has changed but for some reason there is no option for me to make the changes.  In addition, cloud has stopped working and all other programs that need to be updated cannot be??

    Make sure that EVERY DETAIL is the same in every place you enter your information
    -right down to how you spell and punctuate the parts of your name and address
    Change/Verify Account https://forums.adobe.com/thread/1465499 may help
    -Credit card https://helpx.adobe.com/utilities/credit-card.html
    -email address https://forums.adobe.com/thread/1446019
    -http://helpx.adobe.com/x-productkb/global/didn-t-receive-expected-email.html

  • HAs anybody noticed how the MAc Book Pro Login button function has changed with OSX 10.9?

    Has anybody noticed how the Mac Book Pro login button function has changed with OSX 10.9?

    No one in this forum will...  this is the Mac Pro forum

  • My wifi has changed and the backup reminder has come on but I can't get it to go away and I can't log on to the new wifi. How do I fix this?

    My wifi has changed and the backup reminder has come on but I can't get it to go away and I can't log on to the new wifi. How do I fix this?

    Hello Nicolettep,
    It sounds like you are getting prompted to back up your device but you are unable to join your updated Wi-Fi setup. I recommend the troubleshooting from this article named:
    iOS: Troubleshooting Wi-Fi networks and connections
    http://support.apple.com/kb/ts1398
    Tap Settings > Wi-Fi and turn Wi-Fi off and on
    Restart your iOS device.
    Unable to connect to a Wi-Fi network
    Verify that you're attempting to connect to your desired Wi-Fi network.
    Make sure you're entering your Wi-Fi password correctly. Passwords may be case sensitive and may contain numbers or special characters.
    Reset network settings by tapping Settings > General > Reset > Reset Network Settings. Note: This will reset all network settings including:
    previously connected Wi-Fi networks and passwords
    recently used Bluetooth accessories
    VPN and APN settings
    Thank you for using Apple Support Communities.
    All the very best,
    Sterling

  • Row currency has changed since the user interface was rendered.

    Hi All,
    we have developed and deployed an Application in Production, before four months,
    Suddenly for the past two days we are getting an error after the page being idle for 2- 3 minutes.
    Row currency has changed since the user interface was rendered. The expected row key was oracle.jbo.Key[3259 ]Once we get the error, the session scoped beans are resetting the values, and all the vo's cache are getting cleared(All the buttons in the page will get disabled and the menu will disappear).
    but the same EAR is working perfectly in UAT and QA environments.
    We have changed the "Enabletokenvalidation" as false and tested again, but the page itself is not loading after the change .
    We have checked the Production and UAT weblogic server settings , but didn't find anything wrong.
    WebLogic Server Version: 10.3.3.0
    Studio Edition Version 11.1.1.2.0
    if any ideas,
    please help us...
    Regards,
    Ranjith

    Hi All,
    We have checked the error "Row currency has changed since the user interface was rendered. The expected row key was oracle.jbo.Key[3259 ]", we tuned the view objects, we changed the application page flows, and it is found that once we turn off the statevalidation (statevalidation =false), the error is not popping up, but it is getting fired in the server side as
    oracle.jbo.JboException: JBO-35007: Row currency has changed since the user interface was rendered. The expected row key was oracle.jbo.Key[3259 ]
         at oracle.adf.model.binding.DCBindingContainerState.throwRowNotFoundException(DCBindingContainerState.java:318)
         at oracle.adf.model.binding.DCBindingContainerState.validateIterator(DCBindingContainerState.java:341)
         at oracle.adf.model.binding.DCBindingContainerState.validateStateFromString(DCBindingContainerState.java:482)
         at oracle.adf.model.binding.DCBindingContainerState.validateStateFromString(DCBindingContainerState.java:492)
         at oracle.adf.model.binding.DCBindingContainerState.validateToken(DCBindingContainerState.java:602)
         at oracle.adf.model.binding.DCBindingContainer.validateToken(DCBindingContainer.java:4852)
         at oracle.adf.controller.v2.lifecycle.PageLifecycleImpl.prepareModel(PageLifecycleImpl.java:117)
         at oracle.adf.controller.v2.lifecycle.Lifecycle$2.execute(Lifecycle.java:137)
         at oracle.adfinternal.controller.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:192)
         at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.access$400(ADFPhaseListener.java:21)
         at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.startPageLifecycle(ADFPhaseListener.java:231)
         at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$1.after(ADFPhaseListener.java:269)
         at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:72)
         at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:54)
         at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:364)
         at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:177)
         at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
         at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
         at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
         at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:191)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
         at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:97)
         at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:421)
         at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
         at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:421)
         at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:247)
         at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:157)
         at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
         at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:94)
         at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:138)
         at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
         at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:160)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
         at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:330)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
         at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
         at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
         at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
         at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
         at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)No Difference in server side configurations of prod and UAT
    we are not using back button press or any other rowItearation in these pages and we are not changing the row key through code.
    Simple Master page, with inline edit , add and delete with thousands of records.
    Error is popping up after the page is being idle for 2- 3 mins. on the next request after the idle time, the error will pop up .
    once the row currency error came, the current state of the view objects will get reset to the initial state(First row).
    we don't know how to fix this issue, this issue is coming in production server only...
    if any body comes across such an issue, please help us to resolve this issue..
    Regards,
    Ranjith C

  • JBO-29000: JBO-33035: Row currency has changed since the user interface....

    I've a problem related to ADF that I don't understand very well:
    JBO-29000: JBO-33035: Row currency has changed since the user interface was rendered. The expected row key was null
    I read that is due to the Token and the functionality "Enable Token Validation" set to true (http://www.oracle.com/technology/products/jdev/tips/muench/paging/index.html)
    this error appears rarely, and try again to do the same operation it work correctly.
    Could be this problem related to the slow performances of the system(i.e. network problems, as performances, db performances that reduce speed of the system)?
    thank you
    Francesca

    This error is not related to performance.
    It can only be caused by submitting a page whose current row token contains the value of a key which does not match the key of the current row in the corresponding iterator when the server processes the request.
    Often, it can occur if the user uses the browser back button to go back to a page whose current row token now no longer matches the actual current row in the iterator.

  • Message "Backup disk identification has changed since the last copy"

    Hello!
    I have MD033 Time Capsule and my iMac 2012 and MacBook Pro connected to it. Time Machine is set to backup @ this disk.
    Every once in a while I get the message you see in attach on my machines. Approximately it means "Your backup disk identificator has changed since the last backup (Possible reason the disk was changed or erased since the last backup or someone is trying to make you make aт illegal backup not on your disk "
    I get this message from time to time both on iMac and MacBook but not simulateoneously. Once in a week or a month.
    I already reinstalled anew systems on my machines and even replaced time capsule itself to the same model (absolutely new, factory sealed), not even mentioning formatting its disk a dozen times and resetting TC.
    Does someone have same problem? Russian support couldn't help and directs me to a repair. But I really doubt that BOTH MacBook Pro and iMac have EXACTLY the same problem with TC. Everything seems as it is a software problem with some of the program

    frood42frood42 wrote:
    today, my MacBook shows a Message "The identity of the backup disk has changed since the previous backup."
    Welcome to Apple's discussion groups.
    It may not show anything useful, but try this: Disconnect all external and network volumes. In the Finder invoke the menu option Go > Go to Folder. In the resulting field type "/Volumes" (without the quotes) and click "Go". In the resulting window you should only see entries for any internal volumes. If you see anything else, particularly an item with the same name as your Time Machine volume, you may have the problem described in this article:
    http://db.tidbits.com/article/9620
    You should trash any such things. The way to prevent this in the future is to prevent any process from running that would write to external volumes that aren't mounted. For Time Machine, turn it off, then when you want to back up, mount the Time Machine volume and choose "Back Up Now" from the Time Machine menu item.

  • Hello I am having problems viewing areas of a pdf...it's a form fillable pdf that someone else has completed and saved..I'm able to view all but the areas that have been filled in.. any info would help

    Hello I am having problems viewing areas of a pdf...it's a form fillable pdf that someone else has completed and saved..I'm able to view all but the areas that have been filled in.. any info would help

    Hi Bob, I just tried your suggestion, but the interactive PDF is in spreads by default, no way to change the setting. When I choose to view by single page in Acrobat, it displays a single spread.
    When I choose to view by spreads, it displays 4 pages, two spreads. That's the topic of this whole discussion, I believe. I do own CS 6 at home, however my employer supplied me with CS 5.5. And I have very little, if any, influence on purchasing.
    So, I have no good way to make an interactive PDF (with differing recto/verso headers and footers), that is accessible and shows the correct header/footer. It's either single pages (with one header/footer), or recto/verso headers/footers but PDF only as a spread, as well as I can tell.
    Unless you know something else I can do...
    Best, Marilyn

  • TS3297 After downloading the latest version of iTunes, the store will not load. It appears as if it has loaded, but the screen remains blank.

    After downloading the latest version of iTunes, the store will not load. It appears as if it has loaded, but the screen remains blank.

    I have the same problem and have been fighting with it for several days. I think the last thing that I did before this happened was to let Quicktime update itself. When I open itunes and click on store, the connecting bar gets halfway and then stops. That leaves me with the white store page, if I leave it alone for a bit, I see words as in names of singers and but no pictures.
    I have ran the diagnostics and see no problems at all, no event logs in windows, no errors at all. I've un-installed itunes and re-installed but no change. I'm using Norton 360 from comcast. I have windows 7 pro 64 bit. Also, the help in itunes doesn't display.
    I put in a ticket with apple and the response I got back basically told me to do what I've already done. I created a new user and have the same issue.
    Any help at all will be very much appreciated. I think this started August. 8, 2011.
    thanks so much for reading

  • UCM0142 - Infoprovider has changed in the meantime

    When other BW changes are transported to the QA and Prod environments this sometimes has an impact in BCS.  Even though our totals cube was not changed we sometimes get the message <b>UCM0142 - Infoprovider has changed in the meantime</b> when accessing transactions UCMON or UCWB. 
    The message prompts us to save the data basis.  Since our QA and Prod environments are closed for changes we have to justify the opening of the boxes in order to be able to carry out the save.
    1) Is it correct that the message says the infoprovider has changed when it has not?
    2) Is there another way to clear the message without us having to open the boxes for change?
    We are on SEM-BCS version 6.0 support pack 10.
    Any assistance will be appreciated!
    Regards,
    Julia

    Hi Julia,
    Looks like we go in parallel with you. Just a few days ago the real reasons of this message appearance were, as Dan mentioned, the real changes in infoobjects – infocubes.
    A few days ago, after my basis team has implemented the 15th support package. I began receiving this very message. I regenerated and saved the basis many times, with many variations. With still the same outputs.
    Searching for notes gave me the note number I published here. I asked my basis team to implement the note. And meanwhile I gave this number to you. My team told me that the note was included into SP 14 (you case just confirmed this).
    Don’t understand what is happening. But now I was able to get rid of the message.
    Almost sure that this is the program error. So, you can right away open the OSS message.
    Maybe there are some undocumented, and very faint workarounds.
    We’ll see. Good luck!

  • Ive just upgraded my iphone 4 to 5, should i sync my phone before or after my number has changed to the iphone 5?

    ive just upgraded my iphone 4 to 5, should i sync my phone before or after my number has changed to the iphone 5?

    When you restore from an itunes backup it doesnt backup music or ring tones. resync from the computer that has the music. If you bought all the songs from iTunes, you can always redownload them but ringtones are a one-time download. Follow the article to redownload them. For the ringtones you can contact Apple to ask for a redownload of them
    http://support.apple.com/kb/ht2519

Maybe you are looking for