In an attempt to reduce the surface area of Lucee’s various CVE vulnerabilities, we’re gonna try to pilot Lucee Light (on 5.x; we won’t be moving to 6.x).
Lucee-light.jar which includes the lucee core and loader, java bundles, admin and docs
Cool. But what does that mean? What do each of “core”, “loader”, “java bundles” actually mean in the context of CFML execution?
What I’m looking for, I guess, is some docs that say something to effect of:
Lucee Core includes all CFML except for the following, which require the indicated extension to be installed:
<cfdocument>, <cfpdf>, <cfhtmltopdf>, all related PDF functions: PDF extension.
<cfimage> and all related image functions ([including these non obvious ones]): Image extension.
etc covering all CFML functionality
It is not clear to me from anything I have seen what LAS considers to be “core” and what it considers to be “extension” in this context. I’ve tried googling a bit, but… the link above is the best I can find :-/
Unfortunately this is a legacy app with very poor test coverage, so I can’t rely on regression tests to help me out as much as I would like here.
(this is from memory from a long time ago, so take this as a wild stab in the darl)
Core is basically the Lucee Runtime that knows all the tags and Interfaces (cache, datasource etc)
The Loader allows you to dynamically reload the core with new versions so you can update it in without restarting the process. So it knows about where to get Jars and reload.
Java bundles are the libraries that different extensions would require, so for example, mysql driver might need some specific version of JDBC vs the Postgres one
Hopefully @micstriit can clarify but I hope that makes sense.
With regards what’s in and out of the core I dont think there is such a doc?
My mention of the “core” / “loader” / “java bundles” was illustrative that that info adds no clarity to the situation given even those aren’t documented (that I could find).