Today I was resizing and cropping some images with ColdFusion when I ran into the following issue. After resizing the image using ImageScaleToFit(), ImageCrop() would throw an error stating that "The rectangular crop area must not be outside the image." I was able to confirm that the crop area was not outside of the image, so I was a little perplexed. Then I found the following listed as a known JAI bug:
Today I released a ColdFusion WebSocket Gateway on RIAForge and Github. The name pretty much says it all. It is a event gateway for messaging between ColdFusion and conforming clients via the WebSocket protocol. The gateway is based on Nathan Rajlich's Java-WebSocket server implementation, which I updated to support both WebSocket draft 75 and draft 76 clients. For more info on how to install and use this gateway see the Github wiki page.
Last week I gave a 30 minute introduction to OpenID at our monthly developer tech talk lunch. Soon after the talk my co-worker Tim Allen sent me this article on a recently discovered security vulnerability in most open source OpenID implementations.
I was particularly interested because I maintain OpenID4CF, which is based on the OpenID4Java library. So I did a little more research into the issue and asked about it on the OpenID4Java mailing list. As it turns out OpenID4Java is potentially vulnerable to this attack, but a user on the list was able to give some advice on how to patch the library based on a fix committed to JOpenID.
Now I don't really know how exploitable this vulnerability is, but given how simple the fix was I went ahead and patched the fork of OpenID4Java I package for OpenID4CF and posted it to RIAForge. Hopefully OpenID4Java will be patched shortly, but in the meantime you can use the version I include with OpenID4CF if you want to protect against this potential vulnerability.
Last week Ray Camden asked if it was possible to listen for data loaded events with CFTREE. I had done some work with CFTREE in the past and I knew something like this should be possible. After some quick investigation I put together a quick and dirty example to show how you could be notified when new nodes are loaded for a tree.
Just a quick post to let people know that the Adobe ColdFusion Anthology was released today by Apress. The book has tons of excellent content from the Fusion Authority Quarterly Update, including my article "Web Services and Complex Types."
Recently I wanted to investigate building an OpenID identity provider in ColdFusion. While there are a few OpenID consumer libraries out there, I didn't really find any ColdFusion implementations for an OpenID server. Plus, given that OpenID is an authentication protocol there are heightened security considerations, so I wanted something that was well tested and widely used. This lead me to the OpenID4Java project. Looking at the documentation and source for the project there appeared to be pretty straight forward implementations for both an OpenID provider and consumer via the ServerManager and ConsumerManager classes so I began to port the sample JSP applications over to ColdFusion. That is were my problems began.
The CF No Debug Firefox extension has been updated to work with Firefox 3.6. You can get the latest from RIAForge.
Just a quick post to let people know my CF Debug Copy for Firefox extension has been updated to work with Firefox 3.6. You can download the latest from RIAForge.
A few weeks ago Terry Ryan released his Instant Code Review ColdFusion Builder Extension. I realize that the point of the extension was to get people to think of creative uses of CF Builder extensions, but I couldn't help but think that there are much better ways of collaborating using the Eclipse platform, specifically the Eclipse Communication Framework (ECF) DocShare plug-in.
Unfortunately ColdFusion Builder's CFML Editor doesn't support the plug-in out of the box. Fortunately the DocShare plug-in developers did the Eclipse thing and made it easy to extend the plug-in to support other editors. So I put together an Eclipse plug-in that adds DocShare support to the CFBuilder CFML editor. You can check out the CFBuilder DocShare Support plug-in at RIAForge.
A few notes about the plug-in. First, you will need to install ECF, including the DocShare plugin. For update URLs for your version of Eclipse see the ECF site. Second, my plug-in just enables the "Share This Editor With..." context menu item in the CF Builder CFML editor, the actual editor sharing is implemented via the ECF DocShare plug-in. For more info on the DocShare plug-in and its use see the DocShare Plugin site. Finally, I've had I've had hit and miss luck with the DocShare plugin, so be sure you have a backup of the file you plan to work on in shared editor.
Enjoy!
Here is something I discovered the other day that surprised me a bit. ColdFusion data sources have an advanced option named "Allowed SQL" which, according to the documentation, defines "the SQL operations that can interact with the current data source." I know some shops use this setting to help protect against SQL injection attacks. For example they may limit a data source to only allow SELECT and Stored Procedures. While you may think that this would go a long way toward protecting the data source against SQL injection, this may not be the case. If the database credentials used for the data source have additional permissions these statements may be executed via SQL injection. For example, consider the following setup:
Now, consider the following query.
You may think the above query would be protected against SQL injection because the data source limits the Allowed SQL to SELECT and Stored Procedures, but you would be wrong. Given this setup, the above this code is actually susceptible to SQL injection. Assuming this query were in a template index.cfm, you could easily delete all records in TestTable by issuing a request like index.cfm?testID=1%20DELETE%20FROM%20TestTable.
Now there are a number of ways you could protect against this attack, one of the easiest being the cfqueryparam tag, another being to limit the database user's permissions, but that isn't the point of this post. The point is you can't rely on the Allowed SQL advanced option to protect against SQL injection. You have been warned. (Note: I have only tested this against MS SQL Server so it may not apply to all database engines.)
