How would I set a struct-based attribute like

sessioncookie.secure = true

within a

<cfapplication>

tag in Lucee?

Has anyone had luck querying Active Directory with LDAP (cfldap) to return all of a user's groups including nested groups? I can query for the 'memberOf' attribute on a user no problem. But that attribute does not include nested group memberships. I have found several references online that Microsoft includes an OID specifically for this purpose. That OID is

1.2.840.113556.1.4.1941

. But I cannot get cfldap to return any results when using a filter as recommended on those articles. Here is one from Microsoft. https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN That says midway down that page: Similarly, to find all the groups that "user1" is a member of, set the base to the groups container DN; for example (OU=groupsOU, dc=x) and the scope to subtree, and use the following filter. (member1.2.840.113556.1.4.1941=cn=user1,cn=users,DC=x) Note that when using LDAP_MATCHING_RULE_IN_CHAIN, scope is not limited—it can be base, one-level, or subtree. Some such queries on subtrees may be more processor intensive, such as chasing links with a high fan-out; that is, listing all the groups that a user is a member of. Inefficient searches will log appropriate event log messages, as with any other type of query.

Can anyone recommend a good static analysis tool for Lucee? Preferably something open source if possible. I looked through the history here and I see CFLint mentioned a lot - we're using that currently, but also looking for something that goes a bit deeper. We're also looking to get some pen testing done, would love to hear about anyone you guys can recommend for that.

Changing some settings in CF 18 admin screens. Under Server Settings - Settings or Request Tuning. If I change anything and submit I get an error message that says 'the connection was reset'. Not an issue on other screens. Any ideas? I have bounced the box and both instances same error message. Thanks in advance.

I inherited this monolithic legacy app that is still using app.cfm. It has lots of "global" variables, client variables, functions etc. I am bringing it up to at least app.cfc before going to coldbox. I put all the old vars into application.settings, but they also need to remain as "global" because there is too much to update. I put them in an include inside onRequestStart, but the app does not acknowledge them unless they are physically in onRequestStart. Been a while since I have had to deal with anything like this, so just curious if anyone may know what's up? I also tried an include in onRequest.

Has anybody here used ContentBox 5 CMS? I am making a website for the Hawaii ColdFusion user group, and I want to have a CMS that I can use to have a website and a blog, but don't want to use WordPress as I want it ColdFusion-based. I, just want something simple to maintain the site.

In CF-2021 native mongodb support was added. Has anyone tried the mongo features? I'm trying the code mostly from the limited samples of the doc:

var db = getmongoservice(application.settings.mongoDS).db("newdb"); // create a db 
 db.createCollection("colFindDemo"); // create a collection 
 db.colFindDemo.insertMany([ 
   
   { "_id" : 1, "name" : "Ian Gillan", "instrument" : "Vocals","born": 1945 }, 
   { "_id" : 2, "name" : "Ian Paice", "instrument" : "Drums", "born" : 1948 }, 
   { "_id" : 3, "name" : "Roger Glover", "instrument" : "Bass", "born" : 1945 }, 
   { "_id" : 4, "name" : "Steve Morse", "instrument" : "Guitar", "born" : 1954 }, 
   { "_id" : 5, "name" : "Don Airey", "instrument" : "Keyboards", "born" : 1948 }, 
   { "_id" : 6, "name" : "Jeff Martin", "instrument" : "Vocals", "born" : 1969 }, 
   { "_id" : 7, "name" : "Jeff Burrows", "instrument" : "Drums", "born" : 1968 }, 
   { "_id" : 8, "name" : "Stuart Chatwood", "instrument" : "Bass", "born" : 1969 } 
   
 ]);
 // return all documents 
 var col = db.colFindDemo.find();
writeDump(var=col, label="col");
abort;

The createCollection call seems to put itself into an infinite loop condition and eventually crashes with an out of stack message. Any ideas? Or any better examples somewhere?

Also when did slack remove adding snippets, or is it hidden somewhere under a different name?

I have a dumb question. I'm trying to display the output of a query in a loop with a table

This is what I have <cfloop query="weight">    <td >     <cfoutput query="weight">     #name#  </cfoutput></span></td>     </cfloop>--->

Hopefully this is an easy question for someone. If a page starts a thread, or 10 threads with cfthread, and does not call join before exiting the request. Are the threads 1) still running (from experience, it appears they are), and 2) are they subject to request timeout parameters - or any other timeout factor, or will they run until terminated?

Do anyone know if ACF2021 will work with JDK 17?

Anyone have knowledge of the dotnet integration in ACF 2018 or 2021 docker images. We are currently in the process of migrating from windows to ACF 2018/2021 docker images. I am stuck on getting the dotnet integrations to work. I have dropped the .dlls required for the dotnet integrations to work (from our old windows instances) in the required directories for the cfobject call to find them. It is able to find the dlls but I receive the error "The assembly that contains the class must be provided to the assembly attribute". I believe this is misleading because the dlls work just find on the windows environment. My question is whether or not I need extra configuration in the docker images for the local dlls or need to point to dlls on a remote windows server for the .net integration to work. I have read  https://helpx.adobe.com/coldfusion/developing-applications/using-web-elements-and-external-objects/using-microsoft-net-assemblies/accessing-net-assemblies.html But it is still unclear to me. Any insight is much appreciated.

How can I explain it? I don't want to format now(), but I want to format the output of #date#.. How can I add #DateFormat(Now(), "mm/dd/yyyy")# instead of the now() function, I want it to #date#? Or does DateFormat only work with functions?

@Formiko There's a #cfml-beginners channel which you might find helpful, where people have opted in to give a lot of hand-holding to folks who ask questions like this...

Using Adobe CF 2018, this code produces a PDF with a blank textarea where the text only displays if clicked:

<cfhtmltopdf name="myerecord">
<textarea name="test" id="test">TEXT</textarea>
</cfhtmltopdf>
<cfheader name="Content-Disposition" value="attachment;filename=testdocument.pdf">
<cfcontent type="application/pdf" variable="#myerecord#">

Is this a known issue with CF 2018? I've been trying multiple ways (background colors, more html) to get the text to display without the click, but nope! 🙂

is there an easy way to display duplicate values in an Array object without resorting to a cfloop? I need to find and display any found duplicate values, along with the number of occurrences. specifically

@abram can I make a feature request for trycf.com pls?

@foundeo cfdocs.org appears to be having issues

anyone know of a (preferably) comprehensive matrix of cfscript tag equivalents per version? that is, a reference that shows whether a script version of a tag, like

savecontent

, was available in a given acf version. have never really found anything useful on this topic

Lucee on trycf.com has just been spinning for me today. Other engines worked ok. Anyone else getting that?

Is there any documentation or community knowledge about what constructs aren't allowed in text format cfmail content, and how to escape the disallowed stuff? We've had pentesters banging on us for 3 days, requests with all kinds of hacky nonsense in the URL, and some of the emails we send for errors in production got stuck in Undelivr. We have code that automatically retries by moving them to Spool, which it did, but the send fails and get moved back to Undelivr again. Other emails go out fine. I could just delete them, since I've read their content and it's not news, but I'm wondering how to improve the process, by detecting "invalid" emails and ideally, fixing them. Thoughts? Other than that I should stop worrying about this, it's rare and dealable with by hand?

We have run the CF update 13 on our 2018 install early last month. After the update we have 4 related files that have the same timestamp; log4j-1.2.15.jar log4j-api-2.16.0.jar log4j-core-2.16.0.jar log4j-to-slf4j-2.16.0.jar The network team has flagged 'log4j-1.2.15.jar' file in a security scan. When I try to delete the file, it says coldfusion.exe is using the file ?? I am able to delete the file (with CF services stopped), but without it the server throws a 500 error. The strange thing is if I rename it it works. If I move the renamed file to another folder, the server again throws a 500 error. I get a stack trace along with the 500 error. It is a NULL pointer in the Java class loader. Basically, a missing JAR file (a library of classes) which is true since the file is missing. I do know the CF update did update the file because the timestamp matches the ‘CORE’ and ‘API’ log4j files that were replaced. Reading an Adobe post regarding a manual update and workaround, states that the version 1.2 is not an issue with the log4j vulnerability. My questions are; 1) Is this file safe ? 2) Should it have been updated to a later version ? 'log4j-2.16.0.jar' instead of 'log4j-1.2.15.jar' ?? Thanks, Kevin

Probably a dumb question, but going to ask anyway....passing form variables (form.first_Name) or url variables (url.myid) to some sort of "action" page, should I always encodeForHTML() these variables, or is there a time and place to use encodeForHTML()? Working on good security practices for a site and want to double check this best practice so I do it right. Thanks

I'm probably misunderstanding how the getFileInfo()

canWrite

property works, or maybe this is a bug.

Has anyone run into the low-level error "java.lang.IllegalArgumentException at coldfusion.filter.FormScope.parseName"? We've seen this intermittently for a long time, on a small percentage of requests, all ajax. Ring any bells?

@foundeo Hi Pete, do you know the pros and cons of running fuseguard on a cfml application vs a cloud based solution like aws waf or azure waf that is front of the application(not on the same application host)?

form.st_dob = '04052016';

  writedump(isValid('date', form.st_dob));
  writedump(isDate(form.st_dob));
  writedump(dateDiff('d', now(), form.st_dob));
  writedump(now().diff('d', form.st_dob));

make this make sense - these kind of inconsistencies are nuts

Hi All. We're generating QR Codes from our CF based platforms and are wondering how folks in the CF world are providing QR Code features these days. Googling shows a bunch of different results, which look promising but are fairly old now. So, if there is a more current approach, I want to make sure we know about that. Thanks in advance!