ColdFusion Muse

ColdFusion email security Bug: Your mail in the wrong sent folder?

Mark Kruger August 21, 2013 5:00 PM ColdFusion Comments (8)

A recent conversation on CF-Talk piqued my interest. It turns out there is a tricky bug with regard to sending authenticated mail. Here at CF Webtools we have internal relays (protected, internal only IPs, listed in SPF and handling domain keys) whose sole purpose is to relay mail from our web servers - so we do not have "authenticated" email per se. But in the case of this bug (you can see the report here) it's possible for email from one user to wind up in the "Sent" folder of email from an entirely different user. Needless to say this is a security concern for those of you on shared servers especially.

Here are the conditions that need to be met for this to occur (as I understand it).

Read More
  • Share:

A Frank Discussion About Protection

Mark Kruger June 19, 2013 1:52 PM ColdFusion, Coldfusion Security Comments (0)

I know it's an uncomfortable topic. I understand that you would like to keep your validation private. You would probably rather learn about this from your friends at the coffee shop, Jeremy who is two cubes down from you, or some guy on a forum (shudder). Still, the Muse has an assignment in life to point these things out and make sure you are well informed and prepared when temptation strikes. Oh I know what you say now. I know what I'm doing. The risk factor is slight. I'm too small... I mean... my application is too small to need it. But take it from me - you will need to understand how to use protection or bad things will happen. So let's talk about it.

Read More
  • Share:

Muse Abroad - the Ugly ColdFusian

Mark Kruger May 10, 2012 7:11 PM ColdFusion Comments (2)

Muse readers - next week I'll be in Minneapolis MN at the Cf.objective conference. I'll be waxing eloquent in the ad hoc room (TBD) about 2 topics near to my heard. The first is web sockets and the second is consulting. It seems like that's something these conferences could do well to address as the employment landscape changes. Indeed if you are a consultant, freelancer, company owner or whatever and you want Muse tips on getting paid, landing contracts, selling yourself and your technologies, saving troubled customers, getting beyond your skill set, hiring your first and tenth employee etc. - come to that one for a lively discussion. If you are a corporate lackey you can come too, but we may look at you suspiciously out of the corner of one eye.

I also have a new plan for cfobjective this year. Since I actually don't do a lot of hard core programming any more I'm not going to dig into a specific topic and try to gain a lion's share of expertise. Instead my plan is to:

  • Flit from room to rom and booth to booth and pick up as much general knowledge and witty banter as I can.
  • Tweet copiously from the conference about everything and anything of interest to me. My twitter handle is @cfwebtools and the hash tag for cf.objective is #cfobjective.
  • Blog a few times per day. Naturally these will not be my typical wordy tomes of dubious length. Instead I plan on a few paragraphs highlighting various workshops or interesting thoughts or even people I've met who are blog-worthy.
Of course I will mention names and companies so if you want to give me a heads up about your workshop so I can stop in and say something nice (and the Muse is always positive - no worries there), let me know. I'll be happy to oblige.

If you are going to be at CF Objective and would like to chat about consulting, working for CFWT, the next big thing, why CF is dead (again - Lord Beric eat your heart out), or anything else I'd be thrilled to meet you and hear about your latest project or pet mice or see your knitting or whatever. I'll make it a point to wear a RED SHIRT every day. I'm 6', a little pudgy, balding, with lovely blue eyes (says my wife), a little too verbal and over-confident, and I'll be hanging around everywhere like a ubiquitous traveling salesman. So don't be shy - if you see me give a shout! Let's have a drink, pants Ray, make fun of Mark Drew's accent or at least put soap in the hotel fountain or something. Don't leave me hanging.

  • Share:

Datasource Attribute in Application.cfc

Mark Kruger May 9, 2012 2:19 PM ColdFusion Comments (2)

You may know about the "datasource" property in ColdFusion 9. It allows you to create a variable in your Application.cfc file called "datasource" and then skip the "datasource" attribute of your query tags. That's pretty neato. Here's how it works. In the Application.cfc properties...

<cfscript> = 'mort';
    this.sessionmanagement = true;
    this.datasource = 'myDsn';
Then in any component that is "inside" of my application "mort" above I can do something like this:
<!--- myMethods.cfc --->
<cffunction name="getAllUsers">
    <cfset var 'myQry = ''/>
    <cfquery name="myQry">
        SELECT username, email
        FROM     users
    <cfreturn myQry/>
Do you notice what is missing? There's no "datasource" attribute in the cfquery tag. ColdFusion automatically picks up the datasource from the Application.cfc instead. It's a nice time saving effort that reduces code and allows for fewer mistakes. Good for multi-tenant code too.

A Minor Detail

There is one issue that I was made aware of with this approach. Super genius guru Phillip Senn had a head scratching problem where he would set this variable in Application.cfc. Periodically he began getting and error which said:

The value of the attribute datasource, which is currently "" is invalid.
He tried some different things - working with the application names and extended properties of the Application.cfc but nothing seemed to help. Finally he ran the var scope checker which identifies places where un'varred variables exist inside of CFCs. He found several un'varred variables. After he fixed them the problem went away.

So if you are using this Application based this.datasource approach and you get some random errors where the variable seems undefined - or seems defined as a blank string - start looking for vars that are not properly scoped within your components. It may just fix you right up.

  • Share:

Able Commerce 5 on CF - Email Problem

Mark Kruger May 4, 2012 6:54 PM ColdFusion Comments (1)

A while back a product called "Able Commerce Builder" (ACB) was a popular (or pseudo popular) platform for CF folks. This would have been as far back as 1999. At some point they hired one of those developers who believe his technology choices are up there with the Scripture and the Holy Grail – but "he chose poorly".

He rewrote the entire application in Java with a ColdFusion facade. He moved everything into objects and the code became a byzantine maze of object instantiation and java arrays and objects and looping. Of course none of ColdFusion's strengths were on display (easy to read code, modifiable queries, list handling, looping and outputing, query objects etc. Thankfully ACB moved on to .NET and left CF behind - and good riddance! They were giving it a bad name. I trust their new platform was written by actual .NET developers - let's hope anyway. I wish them well.

Over the past couple of days ACB on CF has risen its ugly head again. I've been trying (with the help of super Tech Kevin Fatkin at Edge Web) to fix an issue with an ACB server. After an upgrade of the JVM and some hotfixes on a CF server running ACB, the customer discovered email had suddenly stopped going out. The fix for that is simple right? Check out the cfmail tags, double-check resolution, run a few telnets etc. Install a cert etc. Ah... if it were only that easy. In fact ACB under the hood (in keeping with its face melting decision making) reinvented the wheel and deployed its own Java based mail classes. Something changed, email is not going out, and we can't modify it the code in any real way. It's enough to make me want to have my leg chewed off by a Laplander. Fortunately if you have this problem we actually did find a solution.

Read More
  • Share:

Class Compiling Fun with ColdFusion

Mark Kruger April 6, 2012 10:55 AM ColdFusion Comments (2)

ColdFusion is Java - most people know this in the abstract sense. In sales meetings with the non-initiated I speak about ColdFusion as a layer of Java Services like mail, networking, jdbc, and compiling coupled with a language and syntax that offers faster development and better maintenance. I keep the conversation firmly rooted in Java because in reality this description is spot on. With the advent of ColdFusion 10 my case will be bolstered by TomCat as well - making it even easier to sell (and frankly it's not very hard if you know what you are doing).

Since it is Java you probably already know that ColdFusion takes your CFML code and compiles it down into Java Classes. In the days of CF 6 (back when I had more hair) you could use a command line to pre-compile CFML and even save off the .JAVA files. I'm not sure if you can still do that but it was a neat trick. Every time you run a cfm or cfc file ColdFusion checks (assuming trusted cache is off) to see if the file has changed and recompiles it if needed. You can see this happening with a little effort. The easiest way is to go to the /cfclasses folder for the instance you are using and delete all the class files that are there. Then run a CF page. You should see class files show up for every page and each function within the page.

Knowing (or not knowing) how things really work is very important to a high skill set developer. It amazes me to no end when developers profess they are "uninterested" in certain things regarding the technology they work with. I can't imagine Tony Stewart being uninterested in the bore size of his cylinders or the torque of 4rth gear or whatever. I'm sure Tiger Woods has more than a passing knowledge of how golf balls and clubs are made and customized. Indeed the more broad your knowledge and the more eclectic your skill set the more likely it is that you are an effective troubleshooter. The Muse (for example) has more than a little networking, hardware and server config experience. Often this is the difference between many hours of fruitless searching and a fast "Aha!" moment. With that in mind I'd like to share a little tidbit I picked up along the way (on StackOverflow from ColdFusion/Flex developer Sean Coyne of having to do with compiling. It started with an error I have seen many times... "Routines cannot be declared more than once". I'm sharing this because I thought the work around was unique and I had not seen it before.

Read More
  • Share:

Web Sockets - Going Where No Muse Has Gone Before

Mark Kruger March 14, 2012 2:47 PM ColdFusion Comments (3)

You might wonder where I've been holed up for more than a month. Never fear - I'm still slogging away. My current project is a dashboard for CF Webtools that tracks all of our consulting activity. CF Webtools runs a custom tracking and management system as a core component of our business. This system has many cool features that have evolved over the years for tracking hours, performance, tasks, groups of tasks, assignments, productivity, estimates, deadlines etc. Myself and my VP, Jason Herbolsheimer (a brilliant programmer and manager who you would all know and love if he would ever blog), have spent thousands of hours on it to make it fit our business model of transparency, measurable productivity and cash positive block hours.

The reports and features it contains are useful, but a bit of a hodgepodge. Meanwhile, over time my role has changed considerably. Other than troubleshooting, mentoring and experimentation I'm not involved in day to day tasks directly with our clients any more. But I still monitor our overall productivity closely. Indeed, now that I'm a step back from the work I have a much better sense of what we are accomplishing and where our weak spots are. In the past I have used cfcharts called up on internal pages to show hours and individual developer performance but 3 things had changed.

  1. We now have many more developers to track (29 at last count).
  2. With 3000+ consulting hours per month the system receives a constant stream of updates, notes etc.
  3. I have a fancy new set up with 3x27 inch monitors plus a 46 inch wall mounted monitor that looked lonely and I wanted some fancy-pants dashboard to display
Ok, that last reason is simple hubris but still, it was good enough to boot me down the path. But I had some decisions to make.

Read More
  • Share:

Fun and Games With Googlebot

Mark Kruger December 14, 2011 4:56 PM ColdFusion, Hosting and Networking Comments (7)

When planning for scalability one of the things that is sometimes left out is the impact of indexing bots on your site. If you have a news or ecommerce site that is constantly changing, you definitely want bots to be indexing your site. How else are the latest and greatest products or stories going to show up in organic searches after all? But you also want bots to be well behaved. It would great if you could greet the bots at the door and say "Hey... it's 2:00am, not much going on so index to your heart's content." Or, "Whoa there fella - do you have a reservation? This is Cyber Monday and I'm afraid all our seats are full for paying customers. Can you come back in 12 hours?" But that sort of smart interaction is sadly not in the cards. Some bots have defined rules, some do not. Some honor things you put in the robots.txt file others do not. So here are some tips that might save you some time.

Read More
  • Share: