Skip to main content
S
Community Manager
Saurav_GhoshCommunity Manager
Community Manager
April 1, 2024
Question

View unscoped variables in a log file

  • April 1, 2024
  • 1 reply
  • 4136 views

Document history

  • 04/10/2024: The following are the changes to the log file:
    • The log files contain the name of the scope in which the variable exist.
    • Files included using cfinclude tag will be logged.

 

In the last security updates of ColdFusion (ColdFusion (2023 release) Update 7 and ColdFusion (2021 release) Update 13), Adobe released hotfixes that addressed scope injection vulnerabilities. See the tech notes for more information.

 

New patch update

 

Adobe has released a patch for ColdFusion (2023 release) and ColdFusion (2021 release) to help identify the unscoped variables in a log file, and take corrective actions.

 

The patch applies to ColdFusion (2023 release) Update 6 and higher, and ColdFusion (2021 release) Update 12 and higher. Adobe recommends you to be on Update 6 or higher and Update 12 or higher.

 

View the tech note for more information.

 

Please send us your feedback.

      This topic has been closed for replies.

      1 reply

      R
      rickmaz
      Inspiring
      April 1, 2024

      Gosh Adobe just messed this whole thing up. So complicated and never had to be. Now i am totally confused. To be clear, can someone please verify i have the right informatoin.

       

      1. UP until version 13 the default for searchimplicitscopes was TRUE?

      2. once you apply 13 it flips to false as default so if there was nothing set in jvm or application stuff could break.

      3. I i add the variable to application and set it to TRUE and upgrade to 13 my stuff should work exactly as needed and as before ?

      4. This new patch confused me but i think i understand now. If i am on update 12 in 2021 they say set variable to true in application and install and view the logs. But isn't it already true by default? if someone had it set to false wouldn't their stuff already break? is the patch just to see what errors would happen in 13 if you do not set variable to TRUE? i just don't see the reason in their instructions if i am on 12 to set things to true. I am doing that anyway because that is how it needs to be for 13? just so confusing

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      April 1, 2024

      Yes, to all 4 questions. And yep, the discussion of this new capability can be confusing...and it's not an April fools joke. 

       

      The way I read it is that this Hotfix can be added to update 12 OR HIGHER of cf2021 (or update 6 OR HIGHER of cf2023), but it was indeed the next update of each (in March) that changed the default for searchimplicitscopes to false.

       

      And I suspect the point with this hotfix is that if searchimplicitscopes is true (whether by default or as set), then the hotfix will cause cf to log use of unscoped vars in a request. If set to false, the request would fail instead. (So we need to set it true, if on the March updates, to get this new reporting.) That's how I read it, at least. 

       

      That mostly makes sense to me, though if it does this logging of added to the previous updates, it begs the question that perhaps Adobe was already working on this scope search issue then, but had not completed it to change the default until the March updates. 

       

      I'm reading all this while out, on a phone, so will check things later and report anything new (or perhaps others will). 

      /Charlie (troubleshooter, carehart. org)
      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices