http://coldfusion.com logo
#cfml-general
Title
# cfml-general
f

fmdano

04/11/2022, 7:22 PM
Hey all, so just looked at a client site I might be working on and it is in Fusebox 5...is there anything I should be looking out for in the code....security, or other issues? I doubt I'd be able to convince the people to move off of it, but wanted to see if there was any serious issues with Fusebox 5 now....thanks
g

garciadev

04/11/2022, 7:58 PM
You can always try running a security scan with Fixinator or even via ColdFusion Builder (if there is still a code scanner tool available there)
s

seancorfield

04/11/2022, 8:28 PM
I don't recall hearing about any unaddressed security issues with Fusebox during the time I was maintaining it -- but that was several years ago now. I would expect most security issues to arise in developers' code, not the framework though. The only problematic issue I remember was that there were some thread safety issues at startup that you could run into if the application was restarted while the server was under load -- although I think subsequent maintainers tried to address that?
d

Dave Merrill

04/11/2022, 8:47 PM
What version of CF? There are issues with cf 2018, and I assume later versions. Fixable though.
s

seancorfield

04/11/2022, 9:39 PM
ā˜šŸ» Yeah, good point -- I'd be more concerned about security issues in the underlying CF engine than the framework at this point, especially if it's a FB5 site and therefore "old"...
d

Dave Merrill

04/11/2022, 9:55 PM
The issues I'm talking about aren't security stuff, they're hard crashes and incompatibilities, unless you modify some of the core fusebox files. Two issues I think: ā€¢ Fusebox 5.5+ (I think) converts multiple checkbox form fields into to arrays instead of strings. Not necessarily bad, but incompatible w existing code that thinks they're lists; see here for a fix. ā€¢ The other one I don't remember acccurately, but it involved modifying some files in the 'fusebox5XXX' directories outside the site. If I remember right, without modification they won't compile under cf2018, but the fixes are clear when you look.
s

seancorfield

04/11/2022, 10:06 PM
Oh great... Adobe tried to fix the comma-separated vs array value issue for form/URL variables, to bring CFML inline with most other web tech, and it broke frameworks... I shouldn't be surprised, I suppose. It bit us when we migrated from CFML (comma-separated) to Clojure (array values, like other web tech) but I didn't realize Adobe had tried to change that... I would expect so much CFML code out there to rely on comma-separated values?
I just looked at the FB5.5 source (on GitHub) and it does look pretty sketchy to be trying to mess with
form
and
URL
scope in the pseudo-constructor of
Application.cfc
šŸ‘€
āž• 1
d

Dave Merrill

04/11/2022, 10:07 PM
It's not cf, exactly, the fix is to the fusebox files. But it is in how they interact w cf. Don't remember more of those details though, sorry. The bug tracker ticket has the fix.
s

seancorfield

04/11/2022, 10:08 PM
That tracker issue explains what they were trying to fix and why -- and why they couldn't make the full change (because it broke too much CFML code).
d

Dave Merrill

04/11/2022, 10:09 PM
yeah
s

seancorfield

04/11/2022, 10:11 PM
I used to have a pristine version of the FB5.5 code locally for years -- and I don't think the version on GH reflects just the FB5.5 code (there were some attempts to make a 5.6 release) but unfortunately all of the infrastructure around Fusebox disappeared after the TeraTech chaos (they "bought" it from Hal and John and then didn't understand how OSS worked...).
@fmdano Please report back if you end up working on that and need help!
f

fmdano

04/12/2022, 11:28 AM
Thanks @seancorfield and @Dave Merrill this thread was great to read....i'll keep you posted