View unscoped variables in a log file

Yes, to all 4 questions. And yep, the discussion of this new capability can be confusing...and it's not an April fools joke. 

The way I read it is that this Hotfix can be added to update 12 OR HIGHER of cf2021 (or update 6 OR HIGHER of cf2023), but it was indeed the next update of each (in March) that changed the default for searchimplicitscopes to false.

And I suspect the point with this hotfix is that if searchimplicitscopes is true (whether by default or as set), then the hotfix will cause cf to log use of unscoped vars in a request. If set to false, the request would fail instead. (So we need to set it true, if on the March updates, to get this new reporting.) That's how I read it, at least. 

That mostly makes sense to me, though if it does this logging of added to the previous updates, it begs the question that perhaps Adobe was already working on this scope search issue then, but had not completed it to change the default until the March updates. 

I'm reading all this while out, on a phone, so will check things later and report anything new (or perhaps others will). 

If i reply in a single line, for this patch to work, we need searchImplicitScope = true.

And by not saying "or higher" for the second line in the table I suppose that's because it's expected that this fix would be rolled into the next update. But we should still expect this logging to happen going forward, if searchimplicitscopes is true (by setting or by default), right?

And there's no way to disable the logging, right? But before people lament that, this log (like application.log, mail.log, and others) will be limited by the cf admin logging settings max and rotation settings, right? 

@Charlie Arehart 
I don't think we have intentions to keep this logging feature in Cf going forward. For as many updates older(this may work with older updates ,but we have not tested) and upcoming , this patch works,  we are happy. 
We don't intent to include this as part Cf server codebase. It impacts performance of widely used scope search.
I think all admin settings for logs are still applicable.

Thanks for that clarification, Satyam. Bad news/good news, I think.

First, I hope that decision may be reconsidered (about whether this logging will work in future updates). Many people who are not yet on these recent updates (or indeed are still on older cf versions) will trip over this issue in the future, when updating/upgrading. If tthey can't get this logging help then, they'll need to be told to first stop at this update as an intermediary step, to do testing, which will be awkward in time.

Some good news on this fix: I tested this hotfix with the current update and previous two (from Jan and Oct), and it worked with them (on both Cf2023 and cf2021). It did not work with the prior update (from Aug). 

I also confirmed the hotfix only reports on unscoped vars that are NOT resolved in the local scopes, which means it won't overreport on EVERY unscoped var. Good to see that, and thanks. 

I doubt that Adobe intended to drop a bomb on CF developers with this change. My guess is that someone found a serious security vulnerability with unscoped variables and reported it to the vendor (Adobe? Oracle?), and that left vendor(s) scrambling to fix it as quickly as possible. The best fix would be a magic wand that immediately converts unscoped variables to scoped ones. Sadly, that isn't available. The second best fix would be something that logs unscoped variable use so you can fix your applications without getting tons of error messages, and that's what Adobe just released. My understanding is that's all this latest update does - it causes these variables to be logged. So, you could set searchImplicitScopes to true, run the application, find the unscoped variables, and fix them more quickly. If you're on an older version of CF, there might not be a need to set searchImplicitScopes to true, except maybe that's what tells the logger to do what it does. I don't know if that's the case.

Dave Watts, Eidolon LLC

Adding to Dave's helpful comment, I can confirm the hotfix does indeed do its logging if (and only if) the searchimplicitscopes is true, whether by default or by config at the app or jvm level. And it will log any variables that are unscoped and which would not be resolved in the scopes local to the request. 

If instead the setting is false (by default or by config), then any use of unscoped vars (that would search beyond the local scopes) will simply fail, as intended by the use of that false setting. 

So again confused

i installed the page i am on 2021 update 12 now i do see unscoped.log

for example one line

xxxxxxxxxxx\transaction.cfm:PAGE,scope:FormScope

so what exactly does this mean? no line item of the error? how would i even know where to look this code was not written by me and there are tons of lines in it.

@rickmaz 
xxxxxxxxxxx\transaction.cfm:PAGE,scope:FormScope 
this says: transaction.cfm which is located at xxxxxxxxxxx\transaction.cfm has an un-scoped variable PAGE.
With searchImplicitScope = true the value for variable variable PAGE was found in scope : Formscope.

This is a helper patch.This logs all un-scoped variable.
Because we recommend searchImplicitScope = false and un-scoped variables will start failing with this setting.
All variable needs to be scoped. Intentionally line-number is not mentioned, so that you search all the instances of variable PAGE in 
transaction.cfm and make it scoped.

And one more issue -- ingoing through my servers i have a client that has a shopping cart. He bought it a long time ago but the admin area folders to access the admin use application.cfm however since he did not purchase the unencrypted version there is some sort of encryption when i try to view the code?  so is there any way for me to put the searchimplicitscopes=true in there? if not what are my options? i assume use JVM flag but if so how long will that be good for? Please advise. 

Wow, you have a lot going on here! First, yes, you can use the JVM flag, but no one can tell you how long that'll be around, and every day you use it your site - or your client's site - will be in danger. Second, there are ways to decrypt CF code, but Adobe doesn't like to publicize that too much for obvious reasons, and the shopping cart vendor might not like you decrypting the application either. If your customer buys an encrypted application and puts it on your server, you should let him know that it's no longer supported, and why. You shouldn't put yourself in a legal situation for something your client did.

My recommendation here would be to isolate the application in a separate CF server using that JVM flag and give the customer a set amount of time to get things sorted, maybe two weeks. Of course, I know next to nothing about the specifics here, so keep that in mind if you decide to go that way.

Dave Watts, Eidolon LLC

you can try jvm flag. This will work only if Application.cfm does not has searchimplicitscopes attribute.
jvm flag is a server level configuration but if Application.cfc or Application.cfm is present and has key searchimplicitscopes , jvm flag will be suppressed (Higher priority to application files.).

The other way would be to replace Application.cfm file with a newer file.

Third option is to get file decrypted.

Thank you 3rd option wins 🙂