Skip to main content
S
Community Manager
Saurav_GhoshCommunity Manager
Community Manager
April 1, 2024
Question

View unscoped variables in a log file

  • April 1, 2024
  • 1 reply
  • 4174 views

Document history

  • 04/10/2024: The following are the changes to the log file:
    • The log files contain the name of the scope in which the variable exist.
    • Files included using cfinclude tag will be logged.

 

In the last security updates of ColdFusion (ColdFusion (2023 release) Update 7 and ColdFusion (2021 release) Update 13), Adobe released hotfixes that addressed scope injection vulnerabilities. See the tech notes for more information.

 

New patch update

 

Adobe has released a patch for ColdFusion (2023 release) and ColdFusion (2021 release) to help identify the unscoped variables in a log file, and take corrective actions.

 

The patch applies to ColdFusion (2023 release) Update 6 and higher, and ColdFusion (2021 release) Update 12 and higher. Adobe recommends you to be on Update 6 or higher and Update 12 or higher.

 

View the tech note for more information.

 

Please send us your feedback.

      This topic has been closed for replies.

      1 reply

      R
      rickmaz
      Inspiring
      April 1, 2024

      Gosh Adobe just messed this whole thing up. So complicated and never had to be. Now i am totally confused. To be clear, can someone please verify i have the right informatoin.

       

      1. UP until version 13 the default for searchimplicitscopes was TRUE?

      2. once you apply 13 it flips to false as default so if there was nothing set in jvm or application stuff could break.

      3. I i add the variable to application and set it to TRUE and upgrade to 13 my stuff should work exactly as needed and as before ?

      4. This new patch confused me but i think i understand now. If i am on update 12 in 2021 they say set variable to true in application and install and view the logs. But isn't it already true by default? if someone had it set to false wouldn't their stuff already break? is the patch just to see what errors would happen in 13 if you do not set variable to TRUE? i just don't see the reason in their instructions if i am on 12 to set things to true. I am doing that anyway because that is how it needs to be for 13? just so confusing

      S
      Adobe Employee
      satyam-mishra
      Adobe Employee
      April 1, 2024

      If i reply in a single line, for this patch to work, we need searchImplicitScope = true.

      CF-Version Default Value of searchimplicitscope Application Value of searchimplicitscope    
      2021 update below 13 or 2023 update below 7 TRUE Your application value might override default value by Application.cfc or Application.cfm if you have not overriden default value.Patch can be applied directly.But If you are overriding default value to make it false, before applying patch need to make searchimplicitscope=true   
               
      2021 update 13 or 2023 update 7 FALSE Application default  value can be overriden by jvm.args and Application.cfc and Application.cfm It is mandatory to override the default value and make searchimplicitscope=true by using jvm.args or application.cfm or application.cfc for this patch to work.  
      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      November 14, 2024

      I recently installed Update 12 and the log patch, and I was able to see the logs and fix most issues. Although there were a few outstanding items, I planned to revisit them later. After updating to 13, the code appeared to work fine, and now, with Update 14, everything seems good overall. However, I’ve noticed that the unscoped log has disappeared. I’m certain I had it installed before.

       

      My JVM arguments are the same, but there’s no evidence of the patch. I still have it in my downloads folder, and I’m sure it was installed. How can I verify if the patch is still active? It’s possible my code is fixed and just not logging issues, but I would expect some indication that the patch is present.

       

      I want to avoid assuming everything is resolved only to have problems resurface later. Could you assist with this?


      Rick, it's that you need to add the patch in again after every update.

       

      Sadly, this "patch" is unlike those from the past experience most have: where the "patch" was just something needed "until Adobe rolled it into the next update". Like ALL updates (since CF10 introduced the new update process), when you implement an update it REMOVES ALL FILES from the lib/update folder (where such a patch is to be put), replacing it only with the new update's "chf" jar. The problem is that Adobe has not bundled (and seemingly will not be bundling) this "patch" into any updates.

       

      As such, you either need to a) download it again from the technote pointed to here, b) save it before doing an update, or c) copy it out of the "backups" folder created for each update (in the hf-updates folder for that specific update), where it is within its lib/updates subfolder. Then just put it in place again in the lib/updates folder for your instance and restart CF.

       

      Let us know how it goes (and direct any dismay to Adobe, of course. I'm just a messenger.)

      /Charlie (troubleshooter, carehart. org)
      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices