Can't Download Lucee

Hello,

About every other time I try to access the Lucee downloads page, it results in a Lucee error key [status_code] doesn't exist. It actually took me a few minutes to get to the downloads page this time. Below is a screenshot.

See this pastebin for full error struct.

Considering you don’t hash passwords and you cfdump on errors, does the
developer for the site need some help securing the site?

Hello @Lance_Lake ,

For clarification, did you understand that this error is on Lucee’s download page and not within any application of my own? This is on the site where one would go to download Lucee itself.

Yeah. I was directing the question to the site and forum owner.

@Lance_Lake Can you elaborate on your comment about passwords? I don’t see any mentions of passwords by the OP or the error message. Is there another thread about this?

As to the error-- that seems to happen sometimes when connecting to JIRA to dynamically grab the release notes from their API. The actual error is a result of this ticket:
https://luceeserver.atlassian.net/browse/LDEV-802

As for the fact that this page is a little – unpolished… we do apologize for that. This page was originally just an internal proof of concept that managed to make its way into general use. As such, it didn’t receive the typical error checking or UI finalizations it deserves. We’ll review internally what needs to happen to tidy it up a bit more.

When you select a new password, it checks to see if the password you put in
is the same. This may be done with hashing, but it still is strange thing
to be told, “This password is already being used”. It just seems odd and
raises my security eyebrow a bit.

Can you elaborate on your comment about passwords? I don’t see any
mentions of passwords by the OP or the error message. Is there another
thread about this?

@Lance_Lake Where are you seeing this message? Are you referring to the Discourse forum, a local Lucee Server installation, or the actual Lucee download site?

If you’re referring to the download site (the original topic of this post), I’m quite confused since it is a public site that isn’t secured so there should be no logging in on your part.

If you’re referring to the Discourse forum, they use strong password hashing which you can read about here:

If you’re referring to the Lucee server itself, we use a strong, iterated hash as well. No plain text, or reversible encryption is used. Checking for a used password is as easy as hashing the plaintext and comparing the hashes. That’s exactly what happens when you log in! Disallowing a password change to the same password is a logical thing to do.

1 Like

base issue is solved, but we also need to improve caching of the download page.

2 Likes

Thanks for the help everyone! I’ve marked this question as answered since the fix makes sense and you explained it all very well. It may just be me, but the download page seems much more responsive as well now. :grin: