Skip to main content
S
Community Manager
Saurav_GhoshCommunity Manager
Community Manager
April 1, 2024
Question

View unscoped variables in a log file

  • April 1, 2024
  • 1 reply
  • 4097 views

Document history

  • 04/10/2024: The following are the changes to the log file:
    • The log files contain the name of the scope in which the variable exist.
    • Files included using cfinclude tag will be logged.

 

In the last security updates of ColdFusion (ColdFusion (2023 release) Update 7 and ColdFusion (2021 release) Update 13), Adobe released hotfixes that addressed scope injection vulnerabilities. See the tech notes for more information.

 

New patch update

 

Adobe has released a patch for ColdFusion (2023 release) and ColdFusion (2021 release) to help identify the unscoped variables in a log file, and take corrective actions.

 

The patch applies to ColdFusion (2023 release) Update 6 and higher, and ColdFusion (2021 release) Update 12 and higher. Adobe recommends you to be on Update 6 or higher and Update 12 or higher.

 

View the tech note for more information.

 

Please send us your feedback.

      This topic has been closed for replies.

      1 reply

      R
      rickmaz
      Inspiring
      April 1, 2024

      Gosh Adobe just messed this whole thing up. So complicated and never had to be. Now i am totally confused. To be clear, can someone please verify i have the right informatoin.

       

      1. UP until version 13 the default for searchimplicitscopes was TRUE?

      2. once you apply 13 it flips to false as default so if there was nothing set in jvm or application stuff could break.

      3. I i add the variable to application and set it to TRUE and upgrade to 13 my stuff should work exactly as needed and as before ?

      4. This new patch confused me but i think i understand now. If i am on update 12 in 2021 they say set variable to true in application and install and view the logs. But isn't it already true by default? if someone had it set to false wouldn't their stuff already break? is the patch just to see what errors would happen in 13 if you do not set variable to TRUE? i just don't see the reason in their instructions if i am on 12 to set things to true. I am doing that anyway because that is how it needs to be for 13? just so confusing

      D
      Dave Watts
      Community Expert
      April 1, 2024

      I doubt that Adobe intended to drop a bomb on CF developers with this change. My guess is that someone found a serious security vulnerability with unscoped variables and reported it to the vendor (Adobe? Oracle?), and that left vendor(s) scrambling to fix it as quickly as possible. The best fix would be a magic wand that immediately converts unscoped variables to scoped ones. Sadly, that isn't available. The second best fix would be something that logs unscoped variable use so you can fix your applications without getting tons of error messages, and that's what Adobe just released. My understanding is that's all this latest update does - it causes these variables to be logged. So, you could set searchImplicitScopes to true, run the application, find the unscoped variables, and fix them more quickly. If you're on an older version of CF, there might not be a need to set searchImplicitScopes to true, except maybe that's what tells the logger to do what it does. I don't know if that's the case.

       

      Dave Watts, Eidolon LLC

      Dave Watts, Eidolon LLC
        R
        rickmaz
        Inspiring
        April 17, 2024

        So again confused

         

        i installed the page i am on 2021 update 12 now i do see unscoped.log

        for example one line

         

        xxxxxxxxxxx\transaction.cfm:PAGE,scope:FormScope

        so what exactly does this mean? no line item of the error? how would i even know where to look this code was not written by me and there are tons of lines in it.

        Terms & ConditionsAccessibility statement
        Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices