Modernize or Die® - CFML News Podcast for April 2nd, 2024 - Episode 213

2024-04-02 Weekly News — Episode 213

Watch the video version on YouTube at https://youtube.com/live/Vg81ar7GfW4?feature=share
 
Hosts: 
  • Eric Peterson - Senior Developer at Ortus Solutions
  • Grant Copley - Senior Developer at Ortus Solutions

Thanks to our Sponsor - Ortus Solutions

The makers of ColdBox, CommandBox, ForgeBox, TestBox and all your favorite box-es out there. 
A few ways to say thanks back to Ortus Solutions:

Patreon Support (phenomenal)

We have 46 patreons:
https://www.patreon.com/ortussolutions.

News and Announcements

CVE-2024-20767: Critical Adobe ColdFusion Flaw Exposes Sensitive Files, PoC Published

Security researcher ma4ter has revealed details of a dangerous security vulnerability (CVE-2024-20767) in Adobe ColdFusion, also, another researcher published the proof-of-concept (PoC) exploit code. This flaw originally reported to Adobe, could be exploited to read arbitrary files on an affected server, potentially exposing highly confidential information. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. Exploitation of this issue does not require user interaction.

  • Patch released on March 12, 2024.
  • Only vulnerable if you had the Performance Monitoring Toolset enabled and accessible via /pms.
  • Scope Variable Changes: Enhanced functionality for optimized performance.
  • CFDocument Updates: Upgrades for smoother document handling.
  • Major Library Upgrades: Keeping your application’s backbone strong and secure.
  • CKEditor Changes: Enhanced editing features for a better user experience.

Versions:
- 2021.0.13+330286
- 2023.0.07+330663

https://www.fusion-reactor.com/blog/adobe-coldfusion-important-upgrades-and-cf-summit-east-2024/

https://twitter.com/bdw429s/status/1772726892296130810

Quick 7.4 – 8
New hasManyDeep relationship and revamped hasManyThrough.
Better performance, correct constraints, and increased readability.

https://quick.ortusbooks.com/whats-new

qb 9.8
New withAlias function that will automatically rename fully qualified columns with the old name or alias.
https://qb.ortusbooks.com/whats-new

Megaphone 1.0.1
Uses the default cbMailServices email provider and logs success and failure by default.
https://megaphone.ortusbooks.com/whats-new


CFCasts Content Updates

https://www.cfcasts.com

Recent Releases


Conferences and Training

CF Summit East
Wednesday, April 24, 2024
8:00am - 4:00pm
Carahsoft Conference & Collaboration Center
11493 Sunset Hills Road,
Reston, VA 20190
Registration: https://carahevents.carahsoft.com/Event/Details/429564-adobe

ACP Training prior to CF Summit East
https://www.carahsoft.com/learn/event/50992-acp-adobe-coldfusion-at-adobe-cf-summit-east

ColdBox 7 Workshop at Adobe CF Summit East 2024
A Deep Dive into ColdBox 7.2
Date: April 25th - 26th, 2024 | After Adobe CFSummit East
Speakers: Luis Majano, creator of ColdBox
Elevate Your CFML Development Skills!
Master ColdBox 7.2 from the Ground Up in Our Workshop Following CFSummit East 2024
Calling all CFML developers and enthusiasts! We are thrilled to announce an upcoming event that promises to elevate your skills and empower you with ColdBox's latest updates and features. This two-day workshop is led by the creator of ColdBox, Luis Majano. You'll dive into ColdBox 7.2, exploring new features, updates, and fixes to build modern, high-quality projects.
Whether you're a beginner looking to jumpstart your journey into the MVC ecosystem or an experienced developer seeking to refine your ColdBox skills, this workshop is designed to meet your needs. Get ready for an immersive experience that keeps you at the forefront of ColdBox development!
Tickets are limited, get yours now and save with early bird pricing
https://www.ortussolutions.com/blog/a-deep-dive-into-coldbox-72

ITB 2024

CFCamp 2024

More conferences

Need more conferences, this site has a huge list of conferences for almost any language/community.
https://confs.tech/


Blogs, Tweets, and Videos of the Week

3/15/24 - Blog -  Juan Pablo Gomez Postigo - I Love Lucee: Building Lucee Extensions for Remote Code Execution
During the past few assessments, Sprocket has encountered improperly configured instances of Lucee 5 and 4. In all cases, this led to remote code execution. Sometimes, the initial foothold has been either a default password (“connections”), a weak password, or, in the case of Lucee 4, a first-time setup page that allows a user to set the administrator password. Note that the Lucee administrator login uses a hardcoded username (i.e., no username guessing), has no password requirements, and no account lockout. This blog post will detail a straightforward method to execute remote code after acquiring administrative access to a Lucee login panel. Hopefully, this highlights the risk of improperly locking down the Lucee admin interface; at the bottom are important recommendations for locking down your Lucee instance.
https://www.sprocketsecurity.com/resources/building-lucee-extensions-for-remote-code-execution
https://www.hoyahaxa.com/2024/03/if-youre-running-intranet-connections.html

3/27/24 - Tweet - James Moberg
After reviewing a couple free ones, I found  @LogViewPlus ($45) and it immediately worked with multiple #cfml log files (coldfusion-error & application) and enabled filtering & searching.
https://logviewplus.com I like this so far!
https://twitter.com/gamesover/status/1773049665698636153

3/27/24 - Blog - Nolan Erck - Speaking at CF Summit East 2024
The kind folks at Adobe have invited me back to speak at CF Summit East 2024 in Washington DC. Sometimes called the “Government Summit”, this is the east coast ColdFusion conference, making it an easier option for the east coast CFML developers that can’t always make it to Vegas -- with content unique to this DC event.
https://southofshasta.com/blog/speaking-at-cf-summit-east-2024/

Ben Nadel Corner

3/6/24 - Blog - Fisher-Yates Shuffle Algorithm
Often times, when I have to randomly shuffle an array in ColdFusion, I'll use Java's Collections.shuffle() method. But, this requires access to the Java objects on the server, which not all servers allow. As such, we might need to reproduce the shuffle() functionality in our CFML code.
https://www.bennadel.com/blog/4606-ask-ben-fisher-yates-shuffle-algorithm-in-coldfusion.htm

3/8/24 - Blog - ColdFusion 2021 MySQL Query No Longer Returning Dates As Dates

  • ColdFusion 2021 MySQL queries no longer return date/time values as actual date/time types, but as strings.
  • This change causes HTTP request headers to exceed the limit (16Kb) due to improperly set cookie expiration dates.
  • Workaround: Converting the string date back to a real date type before using it fixes the issue, especially for cookie expiration settings.

Yesterday, I went to my site and was greeted with a Bad Request - Request Too Long error. IIS was rejecting my request because my HTTP request headers exceeded 16Kb in size. When I looked at my cookies, I had dozens upon dozens of cookies that should not have been there. And, when inspecting the cookies, they all had expiration dates in 2092. After a few hours of digging, I discovered that my MySQL database queries were no longer returning date/time values as date/time values. Instead, the ColdFusion query object was presenting them as strings; which was breaking my CFCookie settings in a very subtle way.
https://www.bennadel.com/blog/4608-coldfusion-2021-mysql-query-no-longer-returning-dates-as-dates.htm

3/9/24 - Blog - DateGetTime() To Get UTC Milliseconds From Date In ColdFusion
As of recent updates to Adobe ColdFusion 2021 / 2023, MySQL queries are no longer reporting dates as timestamps. For native ColdFusion logic, this isn't much of a problem. However, in my ColdFusion applications, I'm often preparing data for consumption in JavaScript. And, in those cases, I serialize ColdFusion timestamps as UTC milliseconds using the .getTime() method on the underlying java.util.Date instance. But, now that the MySQL dates are coming back as strings, this .getTime() method isn't available. As such, I wanted to create a more ColdFusion-native way to access this Epoch notation.
https://www.bennadel.com/blog/4609-dategettime-to-get-utc-milliseconds-from-date-in-coldfusion.htm

3/11/24 - Blog - Using Alpine.js To AJAX'ify HTML Fragments Served From ColdFusion
Over on Chris Ferdinandi's blog, I've been reading about how he "AJAX'ifies" his form submissions by wrapping his <form> elements in a custom HTML web component: <ajax-form>. He's a huge fan of web components because they are "the web platform"; but, I don't see why I can't do the same thing using an Alpine.js directive. As such, I wanted to start exploring some AJAX'ification of my own by swapping out ColdFusion generated content within a given branch of the Document Object Model (DOM).
https://www.bennadel.com/blog/4610-using-alpine-js-to-ajaxify-html-fragments-served-from-coldfusion.htm

  • Ben Nadel explores AJAX'ification using Alpine.js to swap ColdFusion content within the DOM.
  • Inspired by Chris Ferdinandi's <ajax-form> approach but utilizes Alpine.js for similar functionality.
  • Utilizes an Alpine.js directive (x-ajax-fragment) to manage AJAX content swapping.
  • Demonstrates with a ColdFusion application serving a collection of quotes.
  • Alpine.js directive intercepts link clicks within a specified DOM area, fetches new content without page reload, and swaps HTML fragments.
  • Full-page reload fallback if JavaScript fails or encounters a critical bug.
  • Uses history API for seamless navigation and back-button functionality.
  • Includes caching mechanism for efficient content loading.
  • Complete code provided for the alpine.ajax-fragment.js file, illustrating the AJAX process and DOM manipulation.

3/17/24 - Blog - Adding One-Click Unsubscribe SMTP Headers To My Comment Emails In ColdFusion
Last year, Google announced that it would start enforcing easy unsubscribe functionality for people sending bulk emails. On my blog, I don't send bulk emails; however, each blog post represents a subscription opportunity for my readers. As such, I thought it would be a fun learning opportunity to add the required one-click unsubscribe SMTP headers to my outbound ColdFusion emails.
https://www.bennadel.com/blog/4614-adding-one-click-unsubscribe-smtp-headers-to-my-comment-emails-in-coldfusion.htm

  • Google mandates easy unsubscribe for bulk emails.
  • Ben Nadel adds one-click unsubscribe to his ColdFusion blog emails as an experiment.
  • One-click unsubscribe is implemented using HTTP POST, requiring two SMTP headers.
  • Outbound emails include these headers using ColdFusion's CFMailParam tags.
  • A ColdFusion page manages subscription status, accessible via both HTTP GET and POST.
  • Security is handled through HMAC-signed URLs to prevent tampering.
  • Each subscriber receives a unique unsubscribe link with a cryptographic signature.
  • Efforts to ensure the unsubscribe feature displays correctly in Gmail are noted.
The project is a learning opportunity and enhances subscription management.



3/24/24 - Blog - Code Kata: Parsing Time Spans In ColdFusion
In ColdFusion, the createTimeSpan() function is used to define a duration. This is often used to help define properties like the application and session idle timeouts. In ColdFusion, a time span is expressed as a number of "fractional days". So, for example, a time span of one day would be expressed as 1; and, a time span of 12 hours (half a day) would be expressed as 0.5. As a fun Sunday morning code kata, I wanted to create a user defined function (UDF) that parses a time span back into its original inputs.
https://www.bennadel.com/blog/4621-code-kata-parsing-time-spans-in-coldfusion.htm

3/28/24 - Blog - Using CFModule To Render Templates With Isolation In ColdFusion
ColdFusion custom tags are often discussed in terms of creating reusable chunks of code. For example, I make heavy use of custom tags in my HTML Email DSL. But, custom tags can serve a much more mundane purpose: they can be used to render a single-use template with strong isolation boundaries. Meaning, they can be used to give each template its own, unique variables scope and page context.
https://www.bennadel.com/blog/4624-using-cfmodule-to-render-templates-with-isolation-in-coldfusion.htm

ColdFusion custom tags can render templates with strong isolation, ensuring unique variable scopes and page contexts.
Templates normally share the variables scope of the calling context, which can lead to variable collisions.
Using CFInclude to render a template allows the template's variables to overwrite those in the parent page.
To prevent variable collisions, CFModule can be used instead, providing each template its own variables scope and page context.
The shift from CFInclude to CFModule changes how a template is executed, reinforcing isolation and requiring explicit cross-template communication.

3/30/24 - Blog - On Ending Path Variables With A Slash (Or Not) In ColdFusion
After many years of programming, I have a lot of strong opinions about how I like to organize my code. But, one aspect of application architecture that I'm constantly flip-flopping on is whether or not to include a slash (/) at the end of my path variables.
https://www.bennadel.com/blog/4625-on-ending-path-variables-with-a-slash-or-not-in-coldfusion.htm

CFML Jobs

Several positions available on https://www.getcfmljobs.com/

Listing over 122 ColdFusion positions from 75 companies across 51 locations in 5 Countries.

Full-Time - Senior ColdFusion Developer - Remote at Melbourne, FL
Apr 02
https://www.getcfmljobs.com/jobs/index.cfm/united-states/senior-cfdev-at-melbourne-fl/11636

Full-Time - Full Stack Web Developer at New Mexico
Mar 29
https://www.getcfmljobs.com/jobs/index.cfm/united-states/FullStackDeveloper-at-NewMexico/11635

Full-Time - Senior Web Developer Coldfusion at Northridge, CA
Mar 13
https://www.getcfmljobs.com/jobs/index.cfm/united-states/SeniorColdFusionDev-at-Northridge-CA/11632

3 new jobs listed in the last few weeks

Other Job Links
  • There is a jobs channel in the CFML slack team, and in the Box team slack now too

ForgeBox Module of the Week

CBStorages

The cbstorages module will provide you with a collection of smart 😉 storage services that will enhance the capabilities of the major ColdFusion (CFML) scopes:

The module registers the following storage mappings:
  • applicationStorage@cbstorages - For application based storage
  • CGIStorage@cbstorages - For cgi based storage (read-only)
  • clientStorage@cbstorages - For client based storage
  • cookieStorage@cbstorages - For cookie based storage
  • sessionStorage@cbstorages - For session based storage
  • cacheStorage@cbstorages - For CacheBox based storage simulating session/client
  • requestStorage@cbstorages - For request based storage

  • Consistent API for dealing with all persistent scopes
  • The CacheStorage allows you to leverage distributed caches like Couchbase, Redis, ehCache, etc for distributed session management. It can act as a distributed session scope.
  • The CookieStorage can do automatic encryption/decryption, httpOnly, security and much more.
  • Ability to retrieve and clear all values stored in a scope
  • Ability to deal with complex and simple values by leveraging JSON serialization
  • Much More
  • Creator Dayle Rees
  • 320+ syntax and UI themes
  • To install the color themes, just use the extensions tab within VS Code and search for 'Rainglow'.
  • Once installed, themes can be switched using the menu item Code -> Preferences -> Color Theme.
  • Extensions to switch Rainglow themes
  • Grant’s favorite: Crackpot
  • Eric’s favorite: Jewel

Also available on most other editors, like Sublime Text or IntelliJ IDEA.

Thank you to all of our Patreon Supporters

These individuals are personally supporting our open source initiatives to ensure the great toolings like CommandBox, ForgeBox, ColdBox, ContentBox, TestBox and all the other boxes keep getting the continuous development they need, and funds the cloud infrastructure at our community relies on like ForgeBox for our Package Management with CommandBox.

You can support us on Patreon here https://www.patreon.com/ortussolutions

Don’t forget, we have Annual Memberships, pay for the year and save 10% - great for businesses everyone.

  • Bronze Packages and up, now get a ForgeBox Pro and CFCasts subscriptions as a perk for their Patreon Subscription.
  • All Patreon supporters have a Profile badge on the Community Website
  • All Patreon supporters have their own Private Forum access on the Community Website
  • All Patreon supporters have their own Private Channel access BoxTeam Slack

https://community.ortussolutions.com/

Top Patreons (phenomenal)
  • John Wilson - Synaptrix
  • Tomorrows Guides
  • Jordan Clark
  • Gary Knight
  • Giancarlo Gomez (Jee-ahn-car-low)
  • David Belanger  (Bell-an-jer)
  • Dan Card
  • James Moberg & Jeffry McGee - Sunstar Media 
  • Dean Maunder
  • Kevin Wright
  • Doug Cain 
  • Nolan Erck 
  • Abdul Raheen

And many more Patreons

You can see an up to date list of all sponsors on Ortus Solutions' Website
https://ortussolutions.com/about-us/sponsors

Thanks everyone!!!

★ Support this podcast on Patreon ★

Switch to Modernize or Die ® Podcast - SoapBox Edition - Switch to Modernize or Die ® Podcast - Conference Edition

Powered by

Music from this podcast used under Royalty Free license from SoundDotCom and BlueTreeAudio

© 2019 Ortus Solutions