View unscoped variables in a log file

Question

Document history

04/10/2024: The following are the changes to the log file:

The log files contain the name of the scope in which the variable exist.
Files included using cfinclude tag will be logged.

In the last security updates of ColdFusion (ColdFusion (2023 release) Update 7 and ColdFusion (2021 release) Update 13), Adobe released hotfixes that addressed scope injection vulnerabilities. See the tech notes for more information.
 
New patch update
 
Adobe has released a patch for ColdFusion (2023 release) and ColdFusion (2021 release) to help identify the unscoped variables in a log file, and take corrective actions.
 
The patch applies to ColdFusion (2023 release) Update 6 and higher, and ColdFusion (2021 release) Update 12 and higher. Adobe recommends you to be on Update 6 or higher and Update 12 or higher.
 
View the tech note for more information.
 
Please send us your feedback.

rickmaz · Answer

Gosh Adobe just messed this whole thing up. So complicated and never had to be. Now i am totally confused. To be clear, can someone please verify i have the right informatoin.

1. UP until version 13 the default for searchimplicitscopes was TRUE?

2. once you apply 13 it flips to false as default so if there was nothing set in jvm or application stuff could break.

3. I i add the variable to application and set it to TRUE and upgrade to 13 my stuff should work exactly as needed and as before ?

4. This new patch confused me but i think i understand now. If i am on update 12 in 2021 they say set variable to true in application and install and view the logs. But isn't it already true by default? if someone had it set to false wouldn't their stuff already break? is the patch just to see what errors would happen in 13 if you do not set variable to TRUE? i just don't see the reason in their instructions if i am on 12 to set things to true. I am doing that anyway because that is how it needs to be for 13? just so confusing

CF-Version	Default Value of searchimplicitscope	Application Value of searchimplicitscope
2021 update below 13 or 2023 update below 7	TRUE	Your application value might override default value by Application.cfc or Application.cfm	if you have not overriden default value.Patch can be applied directly.But If you are overriding default value to make it false, before applying patch need to make searchimplicitscope=true

2021 update 13 or 2023 update 7	FALSE	Application default value can be overriden by jvm.args and Application.cfc and Application.cfm	It is mandatory to override the default value and make searchimplicitscope=true by using jvm.args or application.cfm or application.cfc for this patch to work.

Document history

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded