Web Software Architecture and Engineering – Life on the Bleeding Edge

Archive for July, 2010

Security Enhancement in CF 9.0.1

In the CF 9.0.1 list of What’s New and Changed, the last item listed in the “other enhancements” area is a small note that “CFID, CFTOKEN, and jsessionid are marked httpOnly”. This is a small but significant step in the right direction.
What is httpOnly mean? Well, the OWASP website has a nice explanation. Basically it means: “If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.”
In plain english, I think it means these cookies are basically read-only, meaning you can’t write something in the browser to manipulate them. The big caveat being that the browser must support the optional flag to have this functionality.
Lots of people have started posting wish lists for enhancements to CF10. Read more on Pete Freitag’s blog and Jason Dean’s as well.


ColdFusion 9 Update 1 (9.0.1) Available for Download

The new release includes (among other things):

  • ORM support for multiple data sources
  • Amazon S3 support
  • Support for IIS 7
  • New script functions implemented as CFCs
  • Support for BlazeDS 4 and LCDS 3
  • Configurable seed for password encryption 
  • Server monitoring enhancements to handle load conditions

It is also noted: “In addition, there are some enhancements related to Language, Caching,
Ajax, SpreadSheet, Solr, and Logging and scores of bug fixes.”
Read more @ http://kb2.adobe.com/cps/847/cpsid_84723.html.
Download files @ http://www.adobe.com/support/coldfusion/downloads_updates.html#cf9.

Beware: Change in CF 9.0.1 CGI Scope Functionality

Pre-CF 9.0.1, the CGI scope acted funky – but maybe you never noticed.
For example, if you ran:
<cfdump var=”#cgi.someRandomString#” /><cfdump var=”#StructKeyExists(cgi,”someRandomString”)#”>
It would result in:

[empty string] YES 

You’ll note, the 2nd DUMP is incorrect, as that struct key does NOT exist. As far as I know, this has always been the case for CGI. Well, with CF 9.0.1, bug #82425 was fixed.
The same code now produces this result:

[empty string] NO

Just an FYI.

Firefox 4.0 to Fully Support 64-bit

Sweet! Read more @ http://www.mydigitallife.info/2010/07/09/how-to-download-official-64-bit-firefox-x64-installer-before-final-release/.

MXUnit 2.0 Released

Bill Shelton just announced this on the MXUnit Blog. Read more @ http://blog.mxunit.org/2010/07/mxunit-20-released.html.