Hey all, so just looked at a client site I might be working on and it is in Fusebox 5...is there anything I should be looking out for in the code....security, or other issues? I doubt I'd be able to convince the people to move off of it, but wanted to see if there was any serious issues with Fusebox 5 now....thanks

You can always try running a security scan with Fixinator or even via ColdFusion Builder (if there is still a code scanner tool available there)

I don't recall hearing about any unaddressed security issues with Fusebox during the time I was maintaining it -- but that was several years ago now. I would expect most security issues to arise in developers' code, not the framework though. The only problematic issue I remember was that there were some thread safety issues at startup that you could run into if the application was restarted while the server was under load -- although I think subsequent maintainers tried to address that?

What version of CF? There are issues with cf 2018, and I assume later versions. Fixable though.

☝🏻 Yeah, good point -- I'd be more concerned about security issues in the underlying CF engine than the framework at this point, especially if it's a FB5 site and therefore "old"...

The issues I'm talking about aren't security stuff, they're hard crashes and incompatibilities, unless you modify some of the core fusebox files. Two issues I think: • Fusebox 5.5+ (I think) converts multiple checkbox form fields into to arrays instead of strings. Not necessarily bad, but incompatible w existing code that thinks they're lists; see here for a fix. • The other one I don't remember acccurately, but it involved modifying some files in the 'fusebox5XXX' directories outside the site. If I remember right, without modification they won't compile under cf2018, but the fixes are clear when you look.

Oh great... Adobe tried to fix the comma-separated vs array value issue for form/URL variables, to bring CFML inline with most other web tech, and it broke frameworks... I shouldn't be surprised, I suppose. It bit us when we migrated from CFML (comma-separated) to Clojure (array values, like other web tech) but I didn't realize Adobe had tried to change that... I would expect so much CFML code out there to rely on comma-separated values?

It's not cf, exactly, the fix is to the fusebox files. But it is in how they interact w cf. Don't remember more of those details though, sorry. The bug tracker ticket has the fix.

That tracker issue explains what they were trying to fix and why -- and why they couldn't make the full change (because it broke too much CFML code).

yeah

I used to have a pristine version of the FB5.5 code locally for years -- and I don't think the version on GH reflects just the FB5.5 code (there were some attempts to make a 5.6 release) but unfortunately all of the infrastructure around Fusebox disappeared after the TeraTech chaos (they "bought" it from Hal and John and then didn't understand how OSS worked...).

Thanks @seancorfield and @Dave Merrill this thread was great to read....i'll keep you posted