New blog post - Optimizing Your Code - Scope Cascading

Hi All,

Just to let you all know there is a new blog post from Igal:

Also, if anyone has anything interesting they would like to share on the
blog, like this sort of article, then please email me directly (off list)
and we can see about getting it shared via the Lucee blog. Thanks.

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.org

Hi,

Good article, you might consider also mentioning the setting:

this.scopeCascading = “strict”;

in your Application.cfc or in the Lucee Admin.

I wrote a blog entry about a potential security issue I call scope
injection which Railo/Lucee can easily prevent using that setting:
http://www.petefreitag.com/item/834.cfmOn Monday, June 15, 2015, Andrew Dixon <@Andrew_Dixon> wrote:

Hi All,

Just to let you all know there is a new blog post from Igal:

http://lucee.org/blog/optimizing-your-code-scope-cascading.html

Also, if anyone has anything interesting they would like to share on the
blog, like this sort of article, then please email me directly (off list)
and we can see about getting it shared via the Lucee blog. Thanks.

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.org


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee%2Bunsubscribe@googlegroups.com’);>.
To post to this group, send email to lucee@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee@googlegroups.com’);>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAG1WijX%3DY7bpSHe%2BeE1NJK2D2BTWo6MFv8q3QCtQzE8YqJmS7w%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAG1WijX%3DY7bpSHe%2BeE1NJK2D2BTWo6MFv8q3QCtQzE8YqJmS7w%40mail.gmail.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner

Just to let you all know there is a new blog post from Igal:
http://lucee.org/blog/optimizing-your-code-scope-cascading.html

That is a great little article.

Pete’s post on scope injection great too:
http://www.petefreitag.com/item/834.cfm

Just wanted to say a quick thanks to all involved.

GBOn Tuesday, 16 June 2015 07:07:36 UTC+10, Andrew Dixon wrote:

Thanks Igal - you are correct in that Railo/Lucee are not susceptible to
the session scope example in my blog entry, it does mention that in the
entry, but points out that it could be vulnerable to a similar logic issue
in code using non built in scopes.On Monday, June 15, 2015, Igal @ Lucee.org <@Igal> wrote:

nice post, Pete!

and another good reason for Lucee not to follow ACF’s
“keys-containing-dots” methodology.

I don’t believe that Lucee is susceptible to the vulnerability you
mentioned though, because the Session scope (as well as the related Request
and Application scope) is not part of the Standard Scope Cascade: [Local,
Arguments], Variables, CGI, URL, Form, Cookie

Igal Sapir
Lucee Core Developer
Lucee.org http://lucee.org/
On 6/15/2015 5:30 PM, Pete Freitag wrote:

Hi,

Good article, you might consider also mentioning the setting:

this.scopeCascading = “strict”;

in your Application.cfc or in the Lucee Admin.

I wrote a blog entry about a potential security issue I call scope
injection which Railo/Lucee can easily prevent using that setting:
http://www.petefreitag.com/item/834.cfm

On Monday, June 15, 2015, Andrew Dixon <@Andrew_Dixon <javascript:_e(%7B%7D,‘cvml’,’@Andrew_Dixon’);>> wrote:

Hi All,

Just to let you all know there is a new blog post from Igal:

http://lucee.org/blog/optimizing-your-code-scope-cascading.html

Also, if anyone has anything interesting they would like to share on
the blog, like this sort of article, then please email me directly (off
list) and we can see about getting it shared via the Lucee blog. Thanks.

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.org

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAG1WijX%3DY7bpSHe%2BeE1NJK2D2BTWo6MFv8q3QCtQzE8YqJmS7w%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAG1WijX%3DY7bpSHe%2BeE1NJK2D2BTWo6MFv8q3QCtQzE8YqJmS7w%40mail.gmail.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee%2Bunsubscribe@googlegroups.com’);>.
To post to this group, send email to lucee@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee@googlegroups.com’);>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAADZ8V4XtRVZ42cZSF164-QgWXM05VGv4D-S2sT1wne2Tn%3DSsw%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAADZ8V4XtRVZ42cZSF164-QgWXM05VGv4D-S2sT1wne2Tn%3DSsw%40mail.gmail.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee%2Bunsubscribe@googlegroups.com’);>.
To post to this group, send email to lucee@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee@googlegroups.com’);>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/557F73B7.8020506%40lucee.org
https://groups.google.com/d/msgid/lucee/557F73B7.8020506%40lucee.org?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner

nice post, Pete!

and another good reason for Lucee not to follow ACF’s
“keys-containing-dots” methodology.

I don’t believe that Lucee is susceptible to the vulnerability you
mentioned though, because the Session scope (as well as the related
Request and Application scope) is not part of the Standard Scope
Cascade: [Local, Arguments], Variables, CGI, URL, Form, Cookie

Igal Sapir
Lucee Core Developer
Lucee.org http://lucee.org/On 6/15/2015 5:30 PM, Pete Freitag wrote:

Hi,

Good article, you might consider also mentioning the setting:

this.scopeCascading = “strict”;

in your Application.cfc or in the Lucee Admin.

I wrote a blog entry about a potential security issue I call scope
injection which Railo/Lucee can easily prevent using that setting:
http://www.petefreitag.com/item/834.cfm

On Monday, June 15, 2015, Andrew Dixon <@Andrew_Dixon mailto:Andrew_Dixon> wrote:

Hi All,

Just to let you all know there is a new blog post from Igal:

http://lucee.org/blog/optimizing-your-code-scope-cascading.html

Also, if anyone has anything interesting they would like to share
on the blog, like this sort of article, then please email me
directly (off list) and we can see about getting it shared via the
Lucee blog. Thanks.

Kind regards,

Andrew
about.me <http://about.me/andrew_dixon> - mso
<http://www.mso.net> - Lucee Association Member <http://lucee.org>
-- 
You received this message because you are subscribed to the Google
Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to lucee+unsubscribe@googlegroups.com
<javascript:_e(%7B%7D,'cvml','lucee%2Bunsubscribe@googlegroups.com');>.
To post to this group, send email to lucee@googlegroups.com
<javascript:_e(%7B%7D,'cvml','lucee@googlegroups.com');>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAG1WijX%3DY7bpSHe%2BeE1NJK2D2BTWo6MFv8q3QCtQzE8YqJmS7w%40mail.gmail.com
<https://groups.google.com/d/msgid/lucee/CAG1WijX%3DY7bpSHe%2BeE1NJK2D2BTWo6MFv8q3QCtQzE8YqJmS7w%40mail.gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner


You received this message because you are subscribed to the Google
Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to lucee+unsubscribe@googlegroups.com
mailto:lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com
mailto:lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAADZ8V4XtRVZ42cZSF164-QgWXM05VGv4D-S2sT1wne2Tn%3DSsw%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAADZ8V4XtRVZ42cZSF164-QgWXM05VGv4D-S2sT1wne2Tn%3DSsw%40mail.gmail.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout.