Blog

ColdBox Preso for NOVA CF UG Slides and Recording

Posted by Brad Wood
Jul 17, 2014 20:53:00 UTC

I'd like to thank Dan Fredericks and the NOVA CF UG for asking me to come and present for them last night.  I was given the floor to present whatever I wanted to regarding ColdBox as part of their History of CF Frameworks series.  I had a great time and was happy to be able to talk about some of the exciting things coming up in ColdBox's future as well as some demonstrations of CommandBox, the new CLI, REPL, and package manager for CFML developers.

Here is the Connect recording of the session:

http://experts.adobeconnect.com/p9tt6w78ldy/

And here is a PDF version of my slide deck: (1.3 MB)

ColdBox Platform - Brad Wood.pdf

ColdFusion And Railo SuperClass's Switch "this" Between pseudo-Constructor and Init()

Posted by Brad Wood
Jun 19, 2014 17:53:00 UTC

I noticed an interesting behavior this week that was a little unexpected.  The repro case involves two CFCs-- one extending the other and involves where the "this" reference points to.

Constructors

ColdFusion has two types of constructors-- that is, ways to run initialization code upon the creation of the component.  The first way is called the pseudo-constructor and basically refers to ANY code inside the component that is not part of a method. That was the only way to run initialization code back when CFCs first came out in CFMX 6.  The second way is via a method called "init()".  This was a widely-used convention for years before CF9 started automatically calling it for you when you used the "new" keyword and "entityNew()" function.

Narcissism or Schizophrenia

Sometimes components want to know about themselves or even talk to themselves.  Heck, I wrote a CFC last week that just won't shut up!  That's why there is a keyword called this available inside every CFC.  This is the same as the external references held by the code that created the component instance.  The pseudo-constructor and init() method both have access to this.

The Code

Here is our super class, or base class.  

animal.cfc

component {
	
	writeOutput( 'Animal pseudo-constructor. "this" name: #getMetadata( this ).name#<br>' );
	
	function init() {
		writeOutput( 'Animal init. "this" name: #getMetadata( this ).name#<br>' );
	}	
}

Here is our sub class or concrete class that is a more specific type of animal.  

dog.cfc

component extends='animal' {
	
	writeOutput( 'Dog pseudo-constructor. "this" name: #getMetadata( this ).name#<br>' );
	
	function init() {
		super.init();
		
		writeOutput( 'Dog init. "this" name: #getMetadata( this ).name#<br>' );
		
		return this;
	}	
}

Remember the new operator will automatically call the init() constructor method.

index.cfm

<cfset new dog()>

So as you can see, each component logs the name of the component as reported by getMetadata() in both the pseudo-constructor and init() constructor.

The Behavior

Here is the output.  It is the same for Railo 4.2, CF9, CF10, and CF11.

Animal pseudo-constructor. "this" name: animal
Dog pseudo-constructor. "this" name: dog
Animal init. "this" name: dog
Dog init. "this" name: dog

The this reference in both init() methods point to the "dog" component that I'm creating.  However, the pseudo-constructor code in the base class "animal" has a this reference to "animal", not "dog". What bothers be about this is:

  • The this reference changes unexpectedly in the base class
  • There is no way for the base class to access the concrete class in its pseudo-constructor
  • I can't find any Railo or Adobe ColdFusion docs that reference this behavior to show if it's expected or not.

That second bullet point is specifically what was tripping me up because the base class can't get a reference to the actual component being created.  Sean Corfield mentioned on Twitter that a base class should not know about it's sub classes, but use polymorphic methods. However that DOESN'T WORK since the base class's pseudo-constructor has no reference to the sub class at all.   To test this, put a speak() method in the dog CFC:

function speak() {
	writeOutput( 'Woof!<br>' );	
}

Now, try to call that from the base classes pseudo-constructor.  

speak();

No matching function [SPEAK] found

Of course, this works from the init method, but my point is I think it should work in both constructors.

Another interesting note is that if you save a reference to this in the base pseudo-constructor and check it later, it will have changed to the concrete class.  This made debugging a pain since I originally started appending references to an array in the request scope and dumping them after the component creation which yielded different results than the state of the this references at the point in time when the constructors were executing.

Conclusion?

I mentioned this on Twitter and got a couple different responses. What do you think?  Should CFCs handle the this reference the same between their pseudo-constructor and regular constructor?

 

Adobe Product Security Incident Response Team (PSIRT) On ColdFusion And HeartBleed

Posted by Brad Wood
Apr 17, 2014 06:06:00 UTC

The world is abuzz with the OpenSSL "heartbleed" bug and the ColdFusion community has also been going 'round about it too.  Firstly, a server (like Apache, Nginx, Tomcat, etc) can be exploited by a client on a hackers machine requesting an SSL connection.  In addition, a client (CURL, wget, CFHTTP, etc) can be exploited if connecting to a malicious SSL endpoint.  So basically, the bug has the ability to flow both ways. 

For most CF sites, they are using IIS, Apache, or Nginx to serve content so ColdFusion has no bearing on the vulnerability from that end.  Any CFML application, however, can connect to a malicious SSL endpoint.  Of course, it only matters if the OpenSSL library is specifically being used.  Any other SSL implementation is safe.

To date, neither Adobe or Railo have yet to make public announcements via security bulletins or their official blog.

UPDATE April 17: Railo responds here.

UPDATE April 18: Adobe responds here:

There have been a handful of less "official" conversations in mailing lists and Twitter.  As best I can tell, neither Adobe ColdFusion or Railo use OpenSSL and therefore are safe.  Of course, any other parts of your web stack (even bundled libraries) might use OpenSSL.  Gert from Railo has promised a blog entry "soon" to address the issue regarding Railo.  There has been some complaining about the lack of official word from Adobe, and my understanding is that the ColdFusion team's hands are tied by the Adobe PSIRT who are the only ones allowed to comment publicly on security matters.

 The general consensus is they could certainly say something, even if it was simply, "Hey, we're looking into it and will get back to you soon".  That as it is, I E-mailed Adobe's PSIRT myself and got a reply that seems as close to an official reply as they are willing to provide at this point though I'm unclear why they're talking about it one-on-one but refraining from public statements.  For the sake of those who haven't E-mailed PSIRT, I will post their reply here for the benifit of the community until something official comes out.  Also, for funsies, I'll post my original E-mail plus my followup.  If I hear back again, I'll update this post.


From: Brad Wood
To[email protected]
Date: Wed, Apr 16, 2014 at 5:45 AM
SubjectAdobe ColdFusion and Heartbleed

Dear Adobe PSIRT team, 

 
I would like to encourage you to please make a public announcement regarding Adobe ColdFusion and if it is vulnerable to the latest OpenSSL "heartbleed" bug. This is a very significant bug that has people around the world scrambling to patch their software.  Even if Adobe ColdFusion is not susceptible to the recent "heartbleed" bug I would strongly suggest making an announcement on your blog to state that or authorize the ColdFusion team to do so on their blog. 
 
Many people in the CF community have noticed the silence on this issue and an official announcement really needs to be made in order for your customers to feel safe and to verify with their employers that they have all the patches they need.  Communication is very important and I hate to see the Adobe ColdFusion team getting beat up for not addressing this issue publicly on their blog.  Please authorize them to make some kind of statement on this.
 
Thanks!
 
~Brad

From: [email protected]
To: Brad Wood
Date: Wed, Apr 16, 2014 at 1:39 PM
Subject: RE: Adobe ColdFusion and Heartbleed

Hello Brad,

 

Thank you for contacting us.  We appreciate your feedback.  Please note that ColdFusion does not use OpenSSL. However, customers who are using an external web server with their ColdFusion deployment (ex. Apache) should test for CVE-2014-0160. If affected, customers should follow the recommendations provided in the OpenSSL security advisory, available at https://www.openssl.org/news/secadv_20140407.txt. Adobe

also recommends consulting the ColdFusion lockdown guides for security best practices:

https://www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/cf10-lockdown-guide.pdf

http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf

 

We hope this information is helpful.  Please let us know if you have additional questions.

 

Thank you,

Adobe Product Security Incident Response Team


From: Brad Wood
To[email protected]
Date: Wed, Apr 16, 2014 at 3:13 PM
SubjectAdobe ColdFusion and Heartbleed

Dear PSIRT Team, 
 
Thanks for the reply.  I appreciate the links and concern.  Let me be very clear though-- I am not asking about this for the sake of my servers, I am letting you know that Adobe needs to make a public official statement on the matter for the entire community to see.  Even if your blog entry said nothing more than what you put in your E-mail reply that would be great-- but the community has noticed the lack of public response by Adobe to this matter and it's reflecting quite poorly on your PR.
 
If the PSIRT team doesn't have time to make a quick announcement, please authorize the ColdFusion team to put out a blog post.  This would do a lot for the community as silence breeds distrust and most every other major technology stack have already addressed their platform publicly-- even if just to say they are not vulnerable.
 
Thanks!
 
~Brad
 

UPDATE April 18:


From: Brad Wood
To[email protected]
Date: Thu, Apr 17, 2014 at 9:50 PM
SubjectAdobe ColdFusion and Heartbleed

Dear PSIRT team,

 
Can you please respond to the comments on my blog made by a community member named "Aaron".  He has listed several binaries that ship with ColdFusion that supposedly use OpenSSL.  His comments can be found here:
 
 
Also, if you haven't seen it-- here is the official response from the Railo team (a competitor of Adobe CF) which categorically addresses the uses of SSL inside Railo server.
 
 
Thanks!
 
~Brad

From: [email protected]
To: Brad Wood
Date:  Fri, Apr 18, 2014 at 2:58 PM
SubjectAdobe ColdFusion and Heartbleed

Hi Brad,

Thanks to you and Aaron for bringing this to our attention.  With your input, we started a deeper investigation of ColdFusion components.  We have also clarified our blog post regarding OpenSSL in ColdFusion (http://blogs.adobe.com/psirt/?p=1085).  Should additional information arise from our investigation we'll provide an update to our blog.

 

Thank you again for your help,

Adobe Product Security Incident Response Team

My First Experience With DataBoss Dynamic ORM Administrator

Posted by Brad Wood
Mar 31, 2014 21:10:00 UTC

With the release of DataBoss 1.3 today, I thought I'd share a quick story about my recent first project diving into DataBoss.  Full disclosure: DataBoss is a commercial product and I work for the company that makes it.  None the less, I thought it was pretty freaking useful so I thought I'd throw out this quick post.

For those of you who don't know what the heck DataBoss is-- it's a Dynamic ORM Administrator.  Basically, it can scaffold out CRUD (Create, Read, Update, Delete) screens for pretty much any database structure and it's all based on ColdFusion ORM.  It runs on Adobe ColdFusion as well as Railo and the minimum to get it running is to create ORM entity CFCs, drop them in your models folder and reload ORM via the interface.  It will pick up your entities, read all the relationships, and create all the screens necessary to manage the data in your database complete with formatting, validation, rich text editors, date dropdowns, etc.

So, the recent project I got assigned was for a company that does development services.  They had a project they had been working on for one of their clients that involved a nicely-normalized database of about 20 tables that supported a multi-lingual ordering and reservation system.  They had the front end system built out with ColdFusion but the problem was the deadline was getting very close and they weren't going to have to time build the backend of the system that allowed all the products, descriptions, and companies to be configured.  They needed to have a backend over to their client in a matter of days to start entering data, but there simply wasn't enough time to build one from scratch.

Enter DataBoss.  I was tasked with setting up a data-entry app they could use to manage their database until they had time to finish the backend.  The database that had already been built was well-structured and contained many examples of one-to-many, many-to-one, and many-to-many relationships.  I was given a backup of the data structure and a diagram that showed all the foreign key relationships.  Using Adobe's CFC Generator for ColdFusion Builder, I selected the tables via the RDS datasource view and stubbed out all the ORM entities in script.  Don't try to use the CF Builder plugin to create relationships.  It's horrible and you'll be sorry.  For just stubbing out the entities and the properties, it's pretty good though and saves a lot of time.

DataBoss is packaged as a portable ColdBox module which means you can drop it into an existing ColdBox app, or just deploy it as a small standalone app.  I chose the latter and dropped my ORM entities in the /model folder.  After adding my datasource name to Application.cfc and changing dbCreate to "none" the app sprang to life and displayed a list of all my entities in a drop down.  There's settings in a JSON file to control pagination as well as the internationalization of the DataBoss app itself.  DataBoss already comes bundled with German translations which was nice since this project was for a German company.  

At this point, I went through and configured all the relationships and added metadata to each entity and property that controlled how it displayed on the screen, what kind of validation it applied, and what form controls to display for each field.  After a bit of tweaking, we had really nice CRUD screens fleshed out that even used 24-hour clock and dd/mm/yyyy date formats to match the local standard.  I enabled the Basic HTTP Auth built into DataBoss, and it was ready to deploy publicly!  All in all, we had the entire admin finished and ready to deliver to the customer in just a few days.

I was pretty pleased with how easy it was to get working, and was a major saver for them to get the edit screens to their customer in time.  And now, they can use those ORM entities for future development on the application.  DataBoss Standalone is only 99 bucks which isn't bad considering the time it can save you.  Think about using it for that old legacy database you have no edit screens for, or to help you create your next database.  You can also download a trial to play around if you want.

Product Site:

http://www.data-boss.com/

Docs:

http://www.data-boss.com/docs/index.html

Intro To Couchbase For Caching And NoSQL - Webinar Tues 4/8/2014 1PM EDT

Posted by Brad Wood
Mar 28, 2014 23:46:00 UTC

I will be presenting on how to get started using Couchbase for caching and NoSQL at a TeraTech webinar next month.  Couchbase is an up-and-coming server that mixes caching capabilities with a NoSQL JSON document store.  It has excellent performance and the best clustering/sharding/failover setup I've seen.  I'll be demoing the brand new CFML SDK for Couchbase as well as the Ortus Railo Extension.  Here's the session description.


 

nteractive applications have changed dramatically over the last 15 years. Today, they must support millions of users simultaneously and downtime is no longer acceptable. Three mega trends – Big Data, Big Users, and Cloud Computing – are driving the adoption of NoSQL technology over traditional relational SQL.

NoSQL document stores are reinventing the way we design our databases and cache layers. Couchbase open source server is a unique database with unparalleled performance, automatic replication and failover. 
In this webinar:

  • how document databases differ from the traditional RDBMS
  • the benefits and tradeoffs they bring to the table
  • a hands-on look at the new CFCouchbase CFML SDK
  • native caching and session persistence via the Railo Couchbase Extension.
  • Q&A

Register for free Now

Will A Piece Of Paper, Folded 42 Times, Reach The Moon?

Posted by Brad Wood
Mar 28, 2014 00:35:00 UTC

So I was at a friend's house Sunday night playing a game when this odd fact came up in conversation:

If you were to fold a piece of paper in half 42 times, it would reach the moon.

Several of those around the table scoffed at this, exclaiming that a single sheet of paper was simply too thin to have its thickness reach any substantial amount after only a few dozen folds.  I pointed out it was entirely possible seeing as how doubling the thickness with each fold would lead to an exponential increase in thickness that would increase slowly at first before quickly getting larger.  My friends were clearly imagining a linear increase in thickness.

I also knew that it is pretty much impossible to fold a single sheet of paper more than about 8 times -- though Myth Busters once folded a giant sheet the size of a football field 10 times. The resulting thickness (after hitting it with a bulldozer) was almost a foot tall, though there was quite a bit of air mixed in with the 1,024 sheets.  The formula for finding out how many of something you'll have after doubling it N number of times is as follows where O is the original number (or size in our case).

o * 2^(n)

A standard sheet of paper is about 0.1 mm so 42 folds would give us this:

0.1 * 2^(42) = 439,804,651,110 mm

That's 440 billion millimeters, or 439,804 kilometers.  The moon on average is 384,400 kilometers from Earth according to Google.  I'd say this checks out.  

To help visualize the data, I created a quick spreadsheet and graph that tracks the thickness of the paper for each fold.

# Folds Thickness (mm)
0 0.10
1 0.20
2 0.40
3 0.80
4 1.60
5 3.20
6 6.40
7 12.80
8 25.60
9 51.20
10 102.40
11 204.80
12 409.60
13 819.20
14 1,638.40
15 3,276.80
16 6,553.60
17 13,107.20
18 26,214.40
19 52,428.80
20 104,857.60
21 209,715.20
22 419,430.40
23 838,860.80
24 1,677,721.6
25 3,355,443.2
26 6,710,886.4
27 13,421,773
28 26,843,546
29 53,687,091
30 107,374,182
31 214,748,365
32 429,496,730
33 858,993,459
34 1,717,986,918
35 3,435,973,837
36 6,871,947,674
37 13,743,895,347
38 27,487,790,694
39 54,975,581,389
40 109,951,162,778
41 219,902,325,555
42 439,804,651,110

And to graph that out in kilometers looks like this:

Into The Box Movie Trailer

Posted by Brad Wood
Mar 20, 2014 23:09:00 UTC

We've created a fun trailer for our Into The Box conference this May.  Please check it out and then register to come for a great day of learning that doesn't take itself too seriously :)

 

Modern JVM Languages and ColdFusion Venn Diagram

Posted by Brad Wood
Mar 18, 2014 20:46:00 UTC

Mainstream News About ColdFusion Venn Diagram

Posted by Brad Wood
Mar 18, 2014 20:40:00 UTC

What's A Pull Request (Contributing To Open Source) cf.Objective() Preview

Posted by Brad Wood
Feb 26, 2014 06:32:00 UTC

Tonight the Nebraska ColdFusion User Group (NECFUG) rebooted themselves and I was honored to be able to share a preview of my cf.Objective() session for this year, What's A Pull Request (Contributing To Open Source).  I'd love to have feedback on the presentation so I can make it as good as possible for cf.Objective() this May.  Please give it a listen if you have the time and drop me a line with any thoughts you have.

Site Updates

Entries Search