ContentBox RSS Feed https://www.codersrevolution.com Ortus Solutions, Corp (www.ortussolutions.com) http://www.rssboard.org/rss-specification FeedGenerator Tue, 28 Apr 2026 04:39:08 GMT Tue, 28 Apr 2026 04:39:08 GMT Here's a quick post on a somewhat-undocumented feature ofCommandBox. I say "somewhat" because if you type "config set" and hit tab from the interactive shell, we'll auto-suggest this setting, so it's not impossible to find but I've not put it in the official docs. So, here's the setup. You can pretty muchdo anything you wantwith theForgeBoxwebsite entirely through the CLI. That includes creating accounts, logging in, publishing packages, updating packages, listing packages, and searching packages. This is made possible by our nice(Coldbox-powered) REST APIthat's part of the ForgeBox site that the CLI interfaces with. Sometimes you may wish to play around and try out the commands to create users and packages, but you hate to create a lot of dummy data that clogs up the database or shows on your profile. The fix is to point your local CommandBox CLI over to our staging instance of ForgeBox. This is as simple as setting a single config setting from the command line and the change takes instant effect for all your ForgeBox interactions. Just remember, this setting is remembered until you change it back so don't forget. https://www.codersrevolution.com/blog/using-a-forgebox-playground Thu, 02 Feb 2017 20:09:00 GMT brad@ortussolutions.com (Brad Wood) CommandBox General https://www.codersrevolution.com/blog/using-a-forgebox-playground Adobe released some newsecurity updates for ColdFusion 10 and 11yesterday. This brought with it the usual flurry of twitter activity from security-minded accounts who pounce on the opportunity to retweet every vuln report on the internet. It's too bad no one takes this much effort tofocus on positive newsfrom other languages. Among the landslide of tweets were also a few people poking at ColdFusion such as this person who went as far as to say businesses should scrap all use ofAdobe products in generaldue to the number of vulnerabilities. https://www.codersrevolution.com/blog/whos-had-more-vulns-redux-php-java-coldfusion-ror-or-net Wed, 31 Aug 2016 15:33:00 GMT brad@ortussolutions.com (Brad Wood) ColdFusion General Security Technology https://www.codersrevolution.com/blog/whos-had-more-vulns-redux-php-java-coldfusion-ror-or-net Michael Smith has released the full results of this year's State of the CF Union survey over on the TeraTech blog. I enjoy seeing this data every year as a framework author since it helps us know what engines and types of OS to target with our products. This year, there's a full write up and a little commentary on each graph. Note the write up is spread across two blog entries: http://www.teratech.com/blog/index.cfm/2016/2/19/State-of-the-CF-Union-Survey-2016--Results http://www.teratech.com/blog/index.cfm/2016/2/19/State-of-the-CF-Union-Survey-2016--Results-Part-II Notable bits of data were: CF9 is finally falling behind CF10 and CF11. This is good since we'll be dropping support for CF9 in ColdBox soon Lucee has left Railo usage in the dust, and a solid amount of people are already using Lucee 5 Still a lot of people out there using no framework at all or FuseBox! Of course, I assume this isn't new dev, but rather the same old legacy apps that have been around for years A lot of people not using a DI framework. Kind of curious if they're not using CFCs at all. Really surprised how many people still use Notepad++ for dev. The "How many years have you used CFML" graph is very depressing. Very little new blood coming into CFML. Love how many people are using CommandBox. I'm so pleased to see it being useful for the CF world A decent chunk of Amazon EC2 users, but it's clear most CF shops aren't doing cloud deploys. Not sure if Adobe doesn't focus on cloud because their users don't care, or if it's the other way around. Surprised to see how many home-grown REST frameworks there are. I can't imagine a world in which you wouldn't waste more time doing that from scratch than to drop in something quick and easy like ColdBox 4's REST routing. There's so much out of the box to be gained. There's a decent chunk of CF devs in very large companies, but the majority are in small business's with 1-20 total employees. That's interesting since it's not where I would have pegged most CF devs to be. The comments are very interesting too. Lots of love for Lucee and lots of frustration for Adobe. OK, well there's my thoughts. Head over and check out the data yourself. https://www.codersrevolution.com/blog/state-of-the-cf-union-2016-survey-results-are-in Wed, 24 Feb 2016 09:50:00 GMT brad@ortussolutions.com (Brad Wood) ColdFusion General Lucee https://www.codersrevolution.com/blog/state-of-the-cf-union-2016-survey-results-are-in Yes, that's right. Wherever you are and whatever you're doing, it's time you had a look at what's happening over inColdBox 4. I'm just giddy about our newest release of the most-advanced CFML MVC platform. If you want to read all the details of what makes ColdBox 4 absolutely slap-yo-momma amazing, you can read thepress releaseover on the engineering blog or theWhat's Newguide. Even if you are using an older version of ColdBox, we're re-imagining the way CF apps are built and I think you want to be onboard. This is my personal blog though, so here you'll find my candid, personal, and extremely biased opinions on why you're doing yourself a disservice if attempting to build meaningful ColdFusion applications in 2015 withoutColdBox 4.0. Fair warning, I'm about to tell you how I really feel :) https://www.codersrevolution.com/blog/its-time-you-looked-at-coldbox-4 Sat, 24 Jan 2015 03:10:00 GMT brad@ortussolutions.com (Brad Wood) ColdBox General Technology https://www.codersrevolution.com/blog/its-time-you-looked-at-coldbox-4 So this blog is a bit of a spill over from a Twitter conversation I had today withStefan Mischook, a PHP programmer and maker of all sorts of training videos atwww.studioweb.comandwww.killersites.com. A few years ago, Stefan uploaded a video blog to YouTube titled "Should you learn Coldfusion?" (sic) where he presented a not-so-glowing review of ColdFusion through the lens of circa 2003. I've seen the video before come up in YouTube searches. Part of that is a testament to the pathetically small amount of actual CFML content on YouTube. While I've recorded a number of screencasts and webinars that are posted online, they're all on Vimeo or Adobe Connect so alas I'm not contributing to that specific site. www.youtube.com/watch?v=dLJpz https://www.codersrevolution.com/blog/cfml-good-discussions-and-misinformation Thu, 15 Jan 2015 00:33:00 GMT brad@ortussolutions.com (Brad Wood) ColdBox ColdFusion CommandBox General Java Object Oriented Design (OOP) Railo Technology https://www.codersrevolution.com/blog/cfml-good-discussions-and-misinformation I'd like to thank Dan Fredericks and the NOVA CF UG for asking me to come and present for them last night. I was given the floor to present whatever I wanted to regarding ColdBox as part of their History of CF Frameworks series. I had a great time and was happy to be able to talk about some of the exciting things coming up in ColdBox's future as well as some demonstrations of CommandBox, the new CLI, REPL, and package manager for CFML developers. Here is the Connect recording of the session: http://experts.adobeconnect.com/p9tt6w78ldy/ And here is a PDF version of my slide deck: (1.3 MB) ColdBox Platform - Brad Wood.pdf https://www.codersrevolution.com/blog/coldbox-preso-for-nova-cf-ug-slides-and-recording Thu, 17 Jul 2014 20:53:00 GMT brad@ortussolutions.com (Brad Wood) ColdBox General https://www.codersrevolution.com/blog/coldbox-preso-for-nova-cf-ug-slides-and-recording The world is abuzz with the OpenSSL "heartbleed" bug and the ColdFusion community has also been going 'round about it too. Firstly, a server (like Apache, Nginx, Tomcat, etc) can be exploited by a client on a hackers machine requesting an SSL connection. In addition, a client (CURL, wget, CFHTTP, etc) can be exploited if connecting to a malicious SSL endpoint. So basically, the bug has the ability to flow both ways. For most CF sites, they are using IIS, Apache, or Nginx to serve content so ColdFusion has no bearing on the vulnerability from that end. Any CFML application, however, can connect to a malicious SSL endpoint. Of course, it only matters if the OpenSSL library is specifically being used. Any other SSL implementation is safe. To date, neither Adobe or Railo have yet to make public announcements via securitybulletinsor their official blog. UPDATEApril 17: Railo responds here. UPDATE April 18: Adobe responds here: There have been a handful of less "official" conversations in mailinglists and Twitter. As best I can tell, neither Adobe ColdFusion or Railo use OpenSSL and therefore are safe. Of course, any other parts of your web stack (even bundled libraries) might use OpenSSL. Gert from Railo has promised a blog entry "soon" to address the issue regarding Railo. There has been some complainingaboutthe lackof official wordfromAdobe, and my understanding is that the ColdFusion team'shandsare tied by the Adobe PSIRT who are the only ones allowed to comment publicly on security matters. The general consensus is they could certainly say something, even if it was simply, "Hey, we're looking into it and will get back to you soon". That as it is, I E-mailed Adobe's PSIRT myself and got a reply that seems as close to an official reply as they are willing to provide at this point though I'm unclear why they're talking about it one-on-one but refraining from public statements. For the sake of those who haven't E-mailed PSIRT, I will post their reply here for the benifit of the community until something official comes out. Also, for funsies, I'll post my original E-mail plus my followup. If I hear back again, I'll update this post. From: Brad Wood To:PSIRT@adobe.com Date:Wed, Apr 16, 2014 at 5:45 AM Subject:Adobe ColdFusion and Heartbleed Dear Adobe PSIRT team, I would like to encourage you to please make a public announcement regarding Adobe ColdFusion and if it is vulnerable to the latest OpenSSL "heartbleed" bug. This is a very significant bug that has people around the world scrambling to patch their software. Even if Adobe ColdFusion is not susceptible to the recent "heartbleed" bug I would strongly suggest making an announcement on your blog to state that orauthorize the ColdFusion team to do so on their blog. Many people in the CF community have noticed the silence on this issue and an official announcement really needs to be made in order for your customers to feel safe and to verify with their employers that they have all the patches they need. Communication is very important and I hate to see the Adobe ColdFusion team getting beat up for not addressing this issue publicly on their blog. Please authorize them to make some kind of statement on this. Thanks! ~Brad From: PSIRT@adobe.com To: Brad Wood Date:Wed, Apr 16, 2014 at 1:39 PM Subject: RE:Adobe ColdFusion and Heartbleed Hello Brad, Thank you for contacting us. We appreciate your feedback. Please note that ColdFusion does not use OpenSSL. However, customers who are using an external web server with their ColdFusion deployment (ex. Apache) should test for CVE-2014-0160. If affected, customers should follow the recommendations provided in the OpenSSL security advisory, available athttps://www.openssl.org/news/secadv_20140407.txt. Adobe also recommends consulting the ColdFusion lockdown guides for security best practices: https://www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/cf10-lockdown-guide.pdf http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf We hope this information is helpful. Please let us know if you have additional questions. Thank you, Adobe Product Security Incident Response Team From: Brad Wood To:PSIRT@adobe.com Date:Wed, Apr 16, 2014 at 3:13 PM Subject:Adobe ColdFusion and Heartbleed Dear PSIRT Team, Thanks for the reply. I appreciate the links and concern. Let me be very clear though-- I am not asking about this for the sake of my servers, I am letting you know that Adobe needs to make apublic official statementon the matter for the entire community to see. Even if your blog entry said nothing more than what you put in your E-mail reply that would be great-- but the community has noticed the lack of public response by Adobe to this matter and it's reflecting quite poorly on your PR. If the PSIRT team doesn't have time to make a quick announcement, pleaseauthorize the ColdFusion team to put out a blogpost. This would do a lot for the community as silence breeds distrust and most every other major technology stack have already addressed their platform publicly-- even if just to say they are not vulnerable. Thanks! ~Brad UPDATEApril 18: From: Brad Wood To:PSIRT@adobe.com Date:Thu, Apr 17, 2014 at 9:50 PM Subject:Adobe ColdFusion and Heartbleed Dear PSIRT team, Can you please respond to the comments on my blog made by a community member named "Aaron". He has listed several binaries that ship with ColdFusion that supposedly use OpenSSL. His comments can be found here: http://www.codersrevolution.com/blog/adobe-product-security-incident-response-team-on-coldfusion-and-heartbleed#comment_798 Also, if you haven't seen it-- here is the official response from the Railo team (a competitor of Adobe CF) which categorically addresses the uses of SSL inside Railo server. http://blog.getrailo.com/post.cfm/railo-server-and-the-heartbleed-vulnerability Thanks! ~Brad From: PSIRT@adobe.com To:Brad Wood Date: Fri, Apr 18, 2014 at 2:58 PM Subject:Adobe ColdFusion and Heartbleed Hi Brad, Thanks to you and Aaron for bringing this to our attention. With your input, we started a deeper investigation of ColdFusion components. We have also clarified our blog post regarding OpenSSL in ColdFusion (http://blogs.adobe.com/psirt/?p=1085). Should additional information arise from our investigation we'll provide an update to our blog. Thank you again for your help, Adobe Product Security Incident Response Team https://www.codersrevolution.com/blog/adobe-product-security-incident-response-team-on-coldfusion-and-heartbleed Thu, 17 Apr 2014 06:06:00 GMT brad@ortussolutions.com (Brad Wood) ColdFusion General Networking Railo Security https://www.codersrevolution.com/blog/adobe-product-security-incident-response-team-on-coldfusion-and-heartbleed So I was at a friend's house Sunday night playing a game when this odd fact came up in conversation: If you were to fold a piece of paper in half 42 times, it would reach the moon. Several of those around the table scoffed at this, exclaiming that a single sheet of paper was simply too thin to have its thickness reach any substantial amount after only a few dozen folds. I pointed out it was entirely possible seeing as how doubling the thickness with each fold would lead to an exponential increase in thickness that would increase slowly at first before quickly getting larger. My friends were clearly imagining a linear increase in thickness. I also knew that it is pretty much impossible to fold a single sheet of paper more than about 8 times -- though Myth Busters once folded a giant sheet the size of a football field 10 times. The resulting thickness (after hitting it with a bulldozer) was almost a foot tall, though there was quite a bit of air mixed in with the 1,024 sheets. The formula for finding out how many of something you'll have after doubling it N number of times is as follows where O is the original number (or size in our case). o * 2^(n) A standard sheet of paper is about 0.1 mm so 42 folds would give us this: 0.1 * 2^(42) =439,804,651,110 mm That's 440 billion millimeters, or 439,804 kilometers. The moonon averageis 384,400 kilometers from Earth according to Google. I'd say this checks out. To help visualize the data, I created a quick spreadsheet and graph that tracks the thickness of the paper for each fold. # Folds Thickness (mm) 0 0.10 1 0.20 2 0.40 3 0.80 4 1.60 5 3.20 6 6.40 7 12.80 8 25.60 9 51.20 10 102.40 11 204.80 12 409.60 13 819.20 14 1,638.40 15 3,276.80 16 6,553.60 17 13,107.20 18 26,214.40 19 52,428.80 20 104,857.60 21 209,715.20 22 419,430.40 23 838,860.80 24 1,677,721.6 25 3,355,443.2 26 6,710,886.4 27 13,421,773 28 26,843,546 29 53,687,091 30 107,374,182 31 214,748,365 32 429,496,730 33 858,993,459 34 1,717,986,918 35 3,435,973,837 36 6,871,947,674 37 13,743,895,347 38 27,487,790,694 39 54,975,581,389 40 109,951,162,778 41 219,902,325,555 42 439,804,651,110 And to graph that out in kilometers looks like this: https://www.codersrevolution.com/blog/will-a-piece-of-paper-folded-42-times-reach-the-moon Fri, 28 Mar 2014 00:35:00 GMT brad@ortussolutions.com (Brad Wood) General Mathmatics https://www.codersrevolution.com/blog/will-a-piece-of-paper-folded-42-times-reach-the-moon It's bothered me for a while, that GitHub and Gist don't have proper syntax highlighting for full-script CFCs like this one. They handle tags fine, and even do script inside of a <cfscript> tag, but just leave full script components as black text all the way down the page. ColdFusion has allowed all-script components since version 9 which was released 5 years ago. I always just assumed that GitHub was aware of the problem and someone somewhere was hard at work resolving it. Silly Me. GitHub uses this Ruby library to determine what language a while is written in: https://github.com/github/linguist Which in turn uses this Ruby wrapper to spin up the syntax highlighter: https://github.com/tmm1/pygments.rb But that library is just a proxy to this Python library that actually does the color coding: https://bitbucket.org/birkenfeld/pygments-main It looks like there's already a ticket from 2012 to add support andBen Riordantook a whack at it last year with no luck. So I've forked the Pygments library, but know nothing of Python so I'm asking anyone who does to help me get this figured out. Since script already works inside <cfscript> tags, it sounds like all the pieces are there-- we just need to properly identify script components and use the correct highlighter for them. Comment here or shoot me an E-mail if you'd like to help! https://www.codersrevolution.com/blog/know-python-help-coldfusion-get-proper-script-highlighting-on-github Fri, 07 Feb 2014 21:39:00 GMT brad@ortussolutions.com (Brad Wood) ColdFusion General GitHub https://www.codersrevolution.com/blog/know-python-help-coldfusion-get-proper-script-highlighting-on-github Update: There's an updated blog post with more current results here: http://www.codersrevolution.com/blog/whos-had-more-vulns-redux-php-java-coldfusion-ror-or-net I get tired of people on complaining about ColdFusion as a technology choice because it's "so insecure". I regularly am told that it has more holes, more vulnerabilities, and a worse track record than other platforms. That's why I compiled this quick chart showing the number of Common Vulnerabilities and Exposures (CVE) by year for CF as well as PHP and Java (as reported by cvedetails.com) which are two of the most-used languages on the web. I also threw in Apache Tomcat for comparison since it completes in the web space and CF10 actually runs on a version of it. Click to enlarge So to break this down, the red line riding out on top with a huge spike in 2007, that's PHP. The purple line coming out of the backfield for a solid lead (?) at the end is Java. The yellow line is Tomcat who still manages 10-15 vulns a year (and the only one to go LOWER than CF. And that green line on the bottom with the lowest number of vulns every year, and nothing even reported until 2006- that would be CF. So, sure-- there's a lot more info than just the counts on the chart. My point also isn't that PHP or Java are bad-- I'm just trying to make the point that oft-used technologies are targeted by crackers and nobody is perfect. And according to this data, CF is doing way better than several of the main techs out there. It should also be noted that CF, Java, and PHP were all created the same year-- 1995, so don't give me any of this "old" crap either. (Tomcat was created in 1999) References: http://en.wikipedia.org/wiki/Timeline_of_programming_languages http://en.wikipedia.org/wiki/Apache_Tomcat http://www.cvedetails.com/vendor/74/PHP.html http://www.cvedetails.com/product/8739/Adobe-Coldfusion.html?vendor_id=53 http://www.cvedetails.com/product/1526/SUN-JRE.html?vendor_id=5 http://www.cvedetails.com/product/887/Apache-Tomcat.html?vendor_id=45 https://www.codersrevolution.com/blog/whos-had-more-vulns-php-java-or-coldfusion Thu, 30 Jan 2014 06:53:00 GMT brad@ortussolutions.com (Brad Wood) ColdFusion General Security Technology https://www.codersrevolution.com/blog/whos-had-more-vulns-php-java-or-coldfusion