Skip to main content
WolfShade
WolfShade
Legend
May 29, 2025
Question

WTF, Adobe? Hotfix 20

  • May 29, 2025
  • 2 replies
  • 891 views

Adobe never fails to disappoint.

 

This latest hotfix for CF Server triggers an email notifying us that such-n-such variable is "not expected" by a cffunction with access="remote" attribute.  Doesn't matter if it's a form that is posting to the cfc, or using URL parameters (query string), if something is passed to it that doesn't get processed, we get an email telling us about it.  Even for things like

returnformat=plain

WHY?  How, exactly, is this being "more secure"?

 

How do I get these emails to stop?  This is ludicrous.

    2 replies

    WolfShade
    WolfShadeAuthor
    Legend
    May 30, 2025

    Now things are even more confusing.

     

    I changed the code so that the CFC takes the author_cn straight from the user's CAC, and removed the offending non-"constant" from the CFINVOKE.  Additionally, my SA/DBA told me of a flag in CFAdmin (Dcoldfusion.runtime.remotemethod.matchArguments) that was currently set to "true".  We changed it to "false" in our staging area, and the same error email is still being triggered.

     

    Which makes me think that either A) CF Server is not giving me an accurate error message, or B) the template is somehow being cached, and the change is not being applied.

     

    Is there a way for me to programmatically clear template cache?  If I can clear it, and the error message is still triggered, I can at least eliminate that as an issue, and focus on CF Server not giving me an accurate error message.

     

    V/r,

     

    WolfShade

     

    PS: SA cleared the cache.  It didn't fix anything, but it did help point me in the right direction.  So the error message about the constant is no longer happening.  But the first issue I reported is still an issue.

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    June 1, 2025

    Odd thing: Tracker cannot find the issue.

    I suppose Tracker has issues of its own.

     

    Code to programmatically clear template cache:

    <cfscript>
<!--- Login into Coldfusion Administrator. --->
adminObj = createObject("component", "cfide.adminapi.administrator");
adminObj.login("your_CF_Admin_password"); 
runtimeService = createObject("component", "cfide.adminapi.runtime");
runtimeService.clearTrustedCache();
</cfscript>

     

     

     

     

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    June 2, 2025

    Hi @WolfShade ,

    I reported a bug for Tracker via cfsup[at]adobe.com, and Tracker has been fixed. I have duly voted for the ticket.

    Could you share the solution of the second issue?

     

     

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    May 29, 2025

    Hi @WolfShade ,

    What you describe does indeed sound bothersome. Could you share a bit more about the context?

     

    Apparently, the server is Update 20 of  ColdFusion 2021.  The application has CFCs whose functions can be accessed remotely by means of form submission or URL parameters. Whenever an error occurs during such a request, ColdFusion sends you an e-mail. I hope I am with you so far.

     

    But then, I am scratching my head, wondering why your post gives the impression of e-mails being sent beyond your control. Where is the sending of e-mails configured? In the Administrator? In Application.cfc? In application code?

    Who did the mail configuration or wrote the mail-sending code?

    WolfShade
    WolfShadeAuthor
    Legend
    May 30, 2025

    Hi, BKBK.

    The url parameter returnformat=plain will throw an exception if it is not utilized or paramed as an argument.  The error template generates the email.  This doesn't break the functionality of the cffunction, no errors appear on screen.  But on a public facing site that sees thousands of users a day, our inbox is being filled to the brim with these "error" emails that aren't actual errors.

    So I have to question why Adobe, in all their (lack of) genius, decided that an element that isn't actually used for inserting data into an email, or Excel sheet, or database, but is provided to tell CF how to return the requested data, qualifies as an "error", or poses some kind of security threat.

     

    I have been very vocal in my disappointment towards Adobe.  They don't know what they are doing.  Seems like they are arbitrarily creating issues for them to solve, then solving them in less-than-ideal ways.  This latest hotfix, and the two prior ones, have all created a ton of unnecessary break-fixes, and I'm the only CF dev on the contract, so I'm scrambling like mad to keep things running.

     

    Yes.  I'm pissed.

     

    V/r,

     

    WolfShade

     

    PS:  They created yet another issue.  I'm getting emails that say a value included in a cfinvoke has to be a "constant".  It's from a user filled form.  That kind of negates the whole concept of "dynamic programming".

     

    PPS:  I created a bug for it:  https://tracker.adobe.com/#/view/CF-4226845  Please vote for it.  Thank you.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices