Hi All,
Just to let you all know there is a new blog post from Igal:
http://lucee.org/blog/optimizing-your-code-scope-cascading.html
Also, if anyone has anything interesting they would like to share on the
blog, like this sort of article, then please email me directly (off list)
and we can see about getting it shared via the Lucee blog. Thanks.
Kind regards,
Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.org
Hi,
Good article, you might consider also mentioning the setting:
this.scopeCascading = “strict”;
in your Application.cfc or in the Lucee Admin.
I wrote a blog entry about a potential security issue I call scope
injection which Railo/Lucee can easily prevent using that setting:
Pete Freitag - ColdFusion, Java & Web Blog Monday, June 15, 2015, Andrew Dixon <@Andrew_Dixon> wrote:
Hi All,
Just to let you all know there is a new blog post from Igal:
http://lucee.org/blog/optimizing-your-code-scope-cascading.html
Also, if anyone has anything interesting they would like to share on the
blog, like this sort of article, then please email me directly (off list)
and we can see about getting it shared via the Lucee blog. Thanks.Kind regards,
Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.org–
You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee%2Bunsubscribe@googlegroups.com’);>.
To post to this group, send email to lucee@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee@googlegroups.com’);>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAG1WijX%3DY7bpSHe%2BeE1NJK2D2BTWo6MFv8q3QCtQzE8YqJmS7w%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAG1WijX%3DY7bpSHe%2BeE1NJK2D2BTWo6MFv8q3QCtQzE8YqJmS7w%40mail.gmail.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.
Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner
Just to let you all know there is a new blog post from Igal:
http://lucee.org/blog/optimizing-your-code-scope-cascading.html
That is a great little article.
Pete’s post on scope injection great too:
Just wanted to say a quick thanks to all involved.
GBOn Tuesday, 16 June 2015 07:07:36 UTC+10, Andrew Dixon wrote:
Thanks Igal - you are correct in that Railo/Lucee are not susceptible to
the session scope example in my blog entry, it does mention that in the
entry, but points out that it could be vulnerable to a similar logic issue
in code using non built in scopes.On Monday, June 15, 2015, Igal @ Lucee.org <@Igal> wrote:
nice post, Pete!
and another good reason for Lucee not to follow ACF’s
“keys-containing-dots” methodology.I don’t believe that Lucee is susceptible to the vulnerability you
mentioned though, because the Session scope (as well as the related Request
and Application scope) is not part of the Standard Scope Cascade: [Local,
Arguments], Variables, CGI, URL, Form, CookieIgal Sapir
Lucee Core Developer
Lucee.org http://lucee.org/
On 6/15/2015 5:30 PM, Pete Freitag wrote:Hi,
Good article, you might consider also mentioning the setting:
this.scopeCascading = “strict”;
in your Application.cfc or in the Lucee Admin.
I wrote a blog entry about a potential security issue I call scope
injection which Railo/Lucee can easily prevent using that setting:
Scope Injection in CFMLOn Monday, June 15, 2015, Andrew Dixon <@Andrew_Dixon <javascript:_e(%7B%7D,‘cvml’,‘@Andrew_Dixon’);>> wrote:
Hi All,
Just to let you all know there is a new blog post from Igal:
http://lucee.org/blog/optimizing-your-code-scope-cascading.html
Also, if anyone has anything interesting they would like to share on
the blog, like this sort of article, then please email me directly (off
list) and we can see about getting it shared via the Lucee blog. Thanks.Kind regards,Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.org
–
You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAG1WijX%3DY7bpSHe%2BeE1NJK2D2BTWo6MFv8q3QCtQzE8YqJmS7w%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAG1WijX%3DY7bpSHe%2BeE1NJK2D2BTWo6MFv8q3QCtQzE8YqJmS7w%40mail.gmail.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.–
Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner–
You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee%2Bunsubscribe@googlegroups.com’);>.
To post to this group, send email to lucee@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee@googlegroups.com’);>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAADZ8V4XtRVZ42cZSF164-QgWXM05VGv4D-S2sT1wne2Tn%3DSsw%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAADZ8V4XtRVZ42cZSF164-QgWXM05VGv4D-S2sT1wne2Tn%3DSsw%40mail.gmail.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.–
You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee%2Bunsubscribe@googlegroups.com’);>.
To post to this group, send email to lucee@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee@googlegroups.com’);>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/557F73B7.8020506%40lucee.org
https://groups.google.com/d/msgid/lucee/557F73B7.8020506%40lucee.org?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.
Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner
nice post, Pete!
and another good reason for Lucee not to follow ACF’s
“keys-containing-dots” methodology.
I don’t believe that Lucee is susceptible to the vulnerability you
mentioned though, because the Session scope (as well as the related
Request and Application scope) is not part of the Standard Scope
Cascade: [Local, Arguments], Variables, CGI, URL, Form, Cookie
Igal Sapir
Lucee Core Developer
Lucee.org http://lucee.org/On 6/15/2015 5:30 PM, Pete Freitag wrote:
Hi,
Good article, you might consider also mentioning the setting:
this.scopeCascading = “strict”;
in your Application.cfc or in the Lucee Admin.
I wrote a blog entry about a potential security issue I call scope
injection which Railo/Lucee can easily prevent using that setting:
Scope Injection in CFMLOn Monday, June 15, 2015, Andrew Dixon <@Andrew_Dixon mailto:Andrew_Dixon> wrote:
Hi All, Just to let you all know there is a new blog post from Igal: http://lucee.org/blog/optimizing-your-code-scope-cascading.html Also, if anyone has anything interesting they would like to share on the blog, like this sort of article, then please email me directly (off list) and we can see about getting it shared via the Lucee blog. Thanks. Kind regards, Andrew about.me <http://about.me/andrew_dixon> - mso <http://www.mso.net> - Lucee Association Member <http://lucee.org> -- You received this message because you are subscribed to the Google Groups "Lucee" group. To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com <javascript:_e(%7B%7D,'cvml','lucee%2Bunsubscribe@googlegroups.com');>. To post to this group, send email to lucee@googlegroups.com <javascript:_e(%7B%7D,'cvml','lucee@googlegroups.com');>. To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAG1WijX%3DY7bpSHe%2BeE1NJK2D2BTWo6MFv8q3QCtQzE8YqJmS7w%40mail.gmail.com <https://groups.google.com/d/msgid/lucee/CAG1WijX%3DY7bpSHe%2BeE1NJK2D2BTWo6MFv8q3QCtQzE8YqJmS7w%40mail.gmail.com?utm_medium=email&utm_source=footer>. For more options, visit https://groups.google.com/d/optout.–
Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner–
You received this message because you are subscribed to the Google
Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to lucee+unsubscribe@googlegroups.com
mailto:lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com
mailto:lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAADZ8V4XtRVZ42cZSF164-QgWXM05VGv4D-S2sT1wne2Tn%3DSsw%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAADZ8V4XtRVZ42cZSF164-QgWXM05VGv4D-S2sT1wne2Tn%3DSsw%40mail.gmail.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout.