While investigating ColdFusion server stability issues I have recently discovered what I would consider a bug and a security issue with client variables.

As I am sure you know client variables can be stored in cookies, the registry or a database. The default storage method is the registry, but this is not suitable in many cases, especially on a shared server and should be changed. In such an environment you want to disable use of the registry and you do this with a security sandbox and deny use of the CFRegistry tag. This also means that trying to set client variables to be stored in the registry in the application.cfm would also fail with an access denied error,

E.G.

<cfapplication clientstorage="registry">

However, as I have now discovered this does not apply to application.cfc, which is still able to override the admin settings and the sandbox and is able to use the registry.

e.g.

<cfcomponent name="application.cfc">
<cfset this.clientStorage = "registry">
</cfcomponent>

I have tested and verified this on CF6,7 and 8 and the caveat of this is that if customers set this attribute in their application.cfc then the registry will be used and can easily fill up with client variables which can make the server unstable. Sadly it seems that some developers enable client variables and set the clientStorage=registry even if they are not using client variables, which results in a pointless waste of system memory and resources.

Currently the only way to avoid this problem is to deny access to the user under which ColdFusion runs  to the registry key where client variables are stored, which is

/HKLM/software/Macromedia/ColdFusion/CurrentVersion/Clients

My V star XVS 1100 Silverado has been traded in and I am now the proud owner on the new 2007 Yamaha V Star 1300 or the XVS1300A Midnight Star as it is called in Europe.

While I did love my 1100 I have been having constant issues with it and just decided I had enough and couldn't be bothered trying to resolve them any longer. Which is a shame because I had spent a considerable amount of time and money upgrading it. Hopefully it will go to a better home and will be cared for by someone who is more mechanical, unlike me, I like to ride bikes not work on them.

I spent quite a bit of time deciding which bike to upgrade to as I didn't want to spend too much money on something I don't really need (I really should be buying a second car), so I set my budget at £2000. It ended up being a toss up between a used Yamaha Roadstar XVS1700, a used Kawasaki Vulcan VN1600 or a new Yamaha V Star XVS1300. I then narrowed it down to the XVS1300 and VN1600 as I wanted fuel injection and the Roadstar doesn't have this (not on pre 2007 models anyway).

I then found a shop near to where we are moving to next year (P and H Motorcycles) who had both bikes brand new for around the same price £7000 (£4500 trade in on my 1100). I also managed to bring them down £500 from their advertised price too, and they let me take a test ride on both bikes, which is quite rare. Plus I actually purchased 2 bikes from this shop in the past already so I knew they were reliable, so I was prepared to pay a bit more for my bike than I would have done elsewhere.

Read more...

Jack Straw, the Justice Secretary, told the Labour conference that so-called 'have-a-go-heroes" should  escape prosecution if they injure an assailant.

The Bill will ensure that people who use reasonable force to protect themselves or others have full protection under the law.

Hooray is all I can say, and about time too, it's about time we were able to protect our homes and families and show those criminals the business end of a baseball bat without fear of getting sued by them.

It will also make it illegal to incite hatred against the disabled and people who have undergone a sex change.

Jack Straw, the Justice Secretary, has already said he would amend the legislation to make it illegal to incite homophobic hatred. This protection will now be extended to transgendered and disabled people.

This is certainly another step in the right direction, but they really should extend this to be less specific, it should be illegal to incite hatred against anyone for any reason that is to do with their race, appearance, disability etc. Why should a goth for example have to put up with abuse and hatred any more than a homosexual, they shouldn't so it should be the same rule for everyone.

One comment I will make on this though is that everyone has the basic human right right to dislike anyone or anything for any reason. Some people simply need to learn to keep certain feelings to themselves and then they are not going to bother anyone  and other people need to get a grip and realise that it really doesn't matter if a complete stranger doesn't you, who cares? don't lose any sleep over it.

Remember, a person can no better help the fact that he/she likes/dislikes homosexuals, rednecks, Goth's, blacks or bikers any more than he can help the fact that he/she like/dislikes seafood, peanuts, sci-fi or reality TV shows, that's just the way human beings are built, we have these things called feelings that we cannot control most of the time, and you cannot change someones feelings, but remember that your feelings cannot hurt anyone, at least I don't ever think I have ever heard of a cow being offended or upset by a vegetarian.

The Bill also bans possession of extreme pornography and brings in new powers to throw anti-social neighbours out of their homes.

Now I think this porno ban is laughable and is going to do nothing more than waste police time and tax payers money when they should be chasing real criminals. Everyone knows (whether they want to admit it not) that most of the entire male population of planet earth likes porn, owns porn and one of the first things that every man does when they first get on the INTERNET is download porn. Thus why it is the biggest business in the world and is the sole reason why the INTERNET is as huge as it is today, that's a fact. So what on earth is the point in banning the possession of something that almost everyone owns, the police are going to have to start arresting each other, sheesh they are going to have to arrest the people who made the law in the first place as well. Or is this just the MP's way of pretending they don't do it themselves?

I also have to wonder what the hell they class as extreme, I mean most of things I find extreme and disgusting are supposedly quite normal these days.

Why don't they ban alchohol, that would have a much more positive effect on human life, like all the lives it would save for a start. I tell you why, because the goverment makes a fortune in taxes on the sale of alchohol, but they don't make money out of porn.

The bill will also introduce violent offender orders, which will be similar to sex offender orders but applied in cases of violent crime.

Noisy neighbours will face eviction under plans which extend powers currently used to close "crack dens".

Officials have estimated that 50 premises a year would be closed.

Well I have had enough problem neighbours in my time to appreciate this one, but I wonder if the 'have-a-go-heroes' law would apply in this situation :-)

I have just noticed something odd with ColdFusion 8 when you have security enabled in the enterprise edition.

CFinclude does not work by default and gives an access denied error. You *MUST* create a sandbox for every site in order for CFinclude to work.

The reason why this is so odd is because you cannot actually disable CFinclude even if you want to, as it is not included in the of enabled/disabled list of tags, it seems CF has just decided to disable it by default.

Now it turns out that CFinclude is also not sandboxable in CF6/7 either, but at least it worked by default without having to setup a sandbox.

I wonder why Macrodobe decided to exclude this tag? It is a security issue as it does provide filesystem access as it allows you to include a file from anywhere on the same drive as the template, or if using available mappings, anywhere on the entire server. Granted it is of limited use as you would also need cfcontent to easily make any file downloadable, but a clever developer could get around that.

I recently had the following error reported by a cfdeveloper member since upgrading to ColdFusion 8.

Security: The requested template has been denied access to
C:\Inetpub\wwwroot\CFIDE\scripts\ajax\messages\cfmessage_en_GB_.js.
The following is the internal exception message: access denied
(java.io.FilePermission
C:\Inetpub\wwwroot\CFIDE\scripts\ajax\messages\cfmessage_en_GB_.js read)

ColdFusion cannot determine the line of the template that caused this error.
This is often caused by an error in the exception handling subsystem.

Now the security error is partly to be expected as I use security sandboxes and this path is thus not allowed by default, but the unexpected thing is the path it is trying to use in the first place.

Now like any good host should, I do not use the default CFIDE folder as I do not want every web site to have access to the ColdFusion Administrator, so the path to my CFIDE folder is actually D:\wwwroot\CFIDE and this is where the virtual directory points to for each web site. As you can see ColdFusion 8 completely ignores this fact and is using the default C:\Inetpub\wwwroot\CFIDE instead, which seems like a bug to me.

So if you are running in a sandboxed or shared hosting environment then you need to consider this fact and will need to add the above path to your default sandbox or ask your host to do so.