ColdFusion email security Bug: Your mail in the wrong sent folder?
A recent conversation on CF-Talk piqued my interest. It turns out there is a tricky bug with regard to sending authenticated mail. Here at CF Webtools we have internal relays (protected, internal only IPs, listed in SPF and handling domain keys) whose sole purpose is to relay mail from our web servers - so we do not have "authenticated" email per se. But in the case of this bug (you can see the report here) it's possible for email from one user to wind up in the "Sent" folder of email from an entirely different user. Needless to say this is a security concern for those of you on shared servers especially.
Here are the conditions that need to be met for this to occur (as I understand it).
Read MoreA Frank Discussion About Protection
I know it's an uncomfortable topic. I understand that you would like to keep your validation private. You would probably rather learn about this from your friends at the coffee shop, Jeremy who is two cubes down from you, or some guy on a forum (shudder). Still, the Muse has an assignment in life to point these things out and make sure you are well informed and prepared when temptation strikes. Oh I know what you say now. I know what I'm doing. The risk factor is slight. I'm too small... I mean... my application is too small to need it. But take it from me - you will need to understand how to use protection or bad things will happen. So let's talk about it.
Read MoreMuse Abroad - the Ugly ColdFusian
Muse readers - next week I'll be in Minneapolis MN at the Cf.objective conference. I'll be waxing eloquent in the ad hoc room (TBD) about 2 topics near to my heard. The first is web sockets and the second is consulting. It seems like that's something these conferences could do well to address as the employment landscape changes. Indeed if you are a consultant, freelancer, company owner or whatever and you want Muse tips on getting paid, landing contracts, selling yourself and your technologies, saving troubled customers, getting beyond your skill set, hiring your first and tenth employee etc. - come to that one for a lively discussion. If you are a corporate lackey you can come too, but we may look at you suspiciously out of the corner of one eye.
I also have a new plan for cfobjective this year. Since I actually don't do a lot of hard core programming any more I'm not going to dig into a specific topic and try to gain a lion's share of expertise. Instead my plan is to:
- Flit from room to rom and booth to booth and pick up as much general knowledge and witty banter as I can.
- Tweet copiously from the conference about everything and anything of interest to me. My twitter handle is @cfwebtools and the hash tag for cf.objective is #cfobjective.
- Blog a few times per day. Naturally these will not be my typical wordy tomes of dubious length. Instead I plan on a few paragraphs highlighting various workshops or interesting thoughts or even people I've met who are blog-worthy.
If you are going to be at CF Objective and would like to chat about consulting, working for CFWT, the next big thing, why CF is dead (again - Lord Beric eat your heart out), or anything else I'd be thrilled to meet you and hear about your latest project or pet mice or see your knitting or whatever. I'll make it a point to wear a RED SHIRT every day. I'm 6', a little pudgy, balding, with lovely blue eyes (says my wife), a little too verbal and over-confident, and I'll be hanging around everywhere like a ubiquitous traveling salesman. So don't be shy - if you see me give a shout! Let's have a drink, pants Ray, make fun of Mark Drew's accent or at least put soap in the hotel fountain or something. Don't leave me hanging.
Datasource Attribute in Application.cfc
You may know about the "datasource" property in ColdFusion 9. It allows you to create a variable in your Application.cfc file called "datasource" and then skip the "datasource" attribute of your query tags. That's pretty neato. Here's how it works. In the Application.cfc properties...
<cfscript>
this.name = 'mort';
this.sessionmanagement = true;
this.datasource = 'myDsn';
</cfscript>
....
<cffunction name="getAllUsers">
<cfset var 'myQry = ''/>
<cfquery name="myQry">
SELECT username, email
FROM users
</cfquery>
<cfreturn myQry/>
</cffunction>
A Minor Detail
There is one issue that I was made aware of with this approach. Super genius guru Phillip Senn had a head scratching problem where he would set this variable in Application.cfc. Periodically he began getting and error which said:
So if you are using this Application based this.datasource approach and you get some random errors where the variable seems undefined - or seems defined as a blank string - start looking for vars that are not properly scoped within your components. It may just fix you right up.
Able Commerce 5 on CF - Email Problem
A while back a product called "Able Commerce Builder" (ACB) was a popular (or pseudo popular) platform for CF folks. This would have been as far back as 1999. At some point they hired one of those developers who believe his technology choices are up there with the Scripture and the Holy Grail – but "he chose poorly".
He rewrote the entire application in Java with a ColdFusion facade. He moved everything into objects and the code became a byzantine maze of object instantiation and java arrays and objects and looping. Of course none of ColdFusion's strengths were on display (easy to read code, modifiable queries, list handling, looping and outputing, query objects etc. Thankfully ACB moved on to .NET and left CF behind - and good riddance! They were giving it a bad name. I trust their new platform was written by actual .NET developers - let's hope anyway. I wish them well.
Over the past couple of days ACB on CF has risen its ugly head again. I've been trying (with the help of super Tech Kevin Fatkin at Edge Web) to fix an issue with an ACB server. After an upgrade of the JVM and some hotfixes on a CF server running ACB, the customer discovered email had suddenly stopped going out. The fix for that is simple right? Check out the cfmail tags, double-check resolution, run a few telnets etc. Install a cert etc. Ah... if it were only that easy. In fact ACB under the hood (in keeping with its face melting decision making) reinvented the wheel and deployed its own Java based mail classes. Something changed, email is not going out, and we can't modify it the code in any real way. It's enough to make me want to have my leg chewed off by a Laplander. Fortunately if you have this problem we actually did find a solution.
Read MoreClass Compiling Fun with ColdFusion
ColdFusion is Java - most people know this in the abstract sense. In sales meetings with the non-initiated I speak about ColdFusion as a layer of Java Services like mail, networking, jdbc, and compiling coupled with a language and syntax that offers faster development and better maintenance. I keep the conversation firmly rooted in Java because in reality this description is spot on. With the advent of ColdFusion 10 my case will be bolstered by TomCat as well - making it even easier to sell (and frankly it's not very hard if you know what you are doing).
Since it is Java you probably already know that ColdFusion takes your CFML code and compiles it down into Java Classes. In the days of CF 6 (back when I had more hair) you could use a command line to pre-compile CFML and even save off the .JAVA files. I'm not sure if you can still do that but it was a neat trick. Every time you run a cfm or cfc file ColdFusion checks (assuming trusted cache is off) to see if the file has changed and recompiles it if needed. You can see this happening with a little effort. The easiest way is to go to the /cfclasses folder for the instance you are using and delete all the class files that are there. Then run a CF page. You should see class files show up for every page and each function within the page.
Knowing (or not knowing) how things really work is very important to a high skill set developer. It amazes me to no end when developers profess they are "uninterested" in certain things regarding the technology they work with. I can't imagine Tony Stewart being uninterested in the bore size of his cylinders or the torque of 4rth gear or whatever. I'm sure Tiger Woods has more than a passing knowledge of how golf balls and clubs are made and customized. Indeed the more broad your knowledge and the more eclectic your skill set the more likely it is that you are an effective troubleshooter. The Muse (for example) has more than a little networking, hardware and server config experience. Often this is the difference between many hours of fruitless searching and a fast "Aha!" moment. With that in mind I'd like to share a little tidbit I picked up along the way (on StackOverflow from ColdFusion/Flex developer Sean Coyne of n42designs.com) having to do with compiling. It started with an error I have seen many times... "Routines cannot be declared more than once". I'm sharing this because I thought the work around was unique and I had not seen it before.
Read MoreWeb Sockets - Going Where No Muse Has Gone Before
You might wonder where I've been holed up for more than a month. Never fear - I'm still slogging away. My current project is a dashboard for CF Webtools that tracks all of our consulting activity. CF Webtools runs a custom tracking and management system as a core component of our business. This system has many cool features that have evolved over the years for tracking hours, performance, tasks, groups of tasks, assignments, productivity, estimates, deadlines etc. Myself and my VP, Jason Herbolsheimer (a brilliant programmer and manager who you would all know and love if he would ever blog), have spent thousands of hours on it to make it fit our business model of transparency, measurable productivity and cash positive block hours.
The reports and features it contains are useful, but a bit of a hodgepodge. Meanwhile, over time my role has changed considerably. Other than troubleshooting, mentoring and experimentation I'm not involved in day to day tasks directly with our clients any more. But I still monitor our overall productivity closely. Indeed, now that I'm a step back from the work I have a much better sense of what we are accomplishing and where our weak spots are. In the past I have used cfcharts called up on internal pages to show hours and individual developer performance but 3 things had changed.
- We now have many more developers to track (29 at last count).
- With 3000+ consulting hours per month the system receives a constant stream of updates, notes etc.
- I have a fancy new set up with 3x27 inch monitors plus a 46 inch wall mounted monitor that looked lonely and I wanted some fancy-pants dashboard to display
Fun and Games With Googlebot
When planning for scalability one of the things that is sometimes left out is the impact of indexing bots on your site. If you have a news or ecommerce site that is constantly changing, you definitely want bots to be indexing your site. How else are the latest and greatest products or stories going to show up in organic searches after all? But you also want bots to be well behaved. It would great if you could greet the bots at the door and say "Hey... it's 2:00am, not much going on so index to your heart's content." Or, "Whoa there fella - do you have a reservation? This is Cyber Monday and I'm afraid all our seats are full for paying customers. Can you come back in 12 hours?" But that sort of smart interaction is sadly not in the cards. Some bots have defined rules, some do not. Some honor things you put in the robots.txt file others do not. So here are some tips that might save you some time.
Read MoreSites to Watch
Aggregators
RSS
