New blog post - Optimizing Your Code - Scope Cascading
60 views
Skip to first unread message
Andrew Dixon
Jun 15, 2015, 5:07:36 PM6/15/15
to lu...@googlegroups.com
Hi All,
Just to let you all know there is a new blog post from Igal:
Also, if anyone has anything interesting they would like to share on the blog, like this sort of article, then please email me directly (off list) and we can see about getting it shared via the Lucee blog. Thanks.
Pete Freitag
Jun 15, 2015, 8:30:51 PM6/15/15
to lu...@googlegroups.com
Hi,
--
https://foundeo.com/ - ColdFusion Consulting & Products
http://hackmycf.com - CFML Server Security Scanner
Good article, you might consider also mentioning the setting:
this.scopeCascading = "strict";
in your Application.cfc or in the Lucee Admin.
I wrote a blog entry about a potential security issue I call scope injection which Railo/Lucee can easily prevent using that setting: http://www.petefreitag.com/item/834.cfm
--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAG1WijX%3DY7bpSHe%2BeE1NJK2D2BTWo6MFv8q3QCtQzE8YqJmS7w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
--
Pete Freitaghttps://foundeo.com/ - ColdFusion Consulting & Products
http://hackmycf.com - CFML Server Security Scanner
Igal @ Lucee.org
Jun 15, 2015, 8:54:56 PM6/15/15
to lu...@googlegroups.com
nice post, Pete!
and another good reason for Lucee not to follow ACF's "keys-containing-dots" methodology.
I don't believe that Lucee is susceptible to the vulnerability you mentioned though, because the Session scope (as well as the related Request and Application scope) is not part of the Standard Scope Cascade: [Local, Arguments], Variables, CGI, URL, Form, Cookie
and another good reason for Lucee not to follow ACF's "keys-containing-dots" methodology.
I don't believe that Lucee is susceptible to the vulnerability you mentioned though, because the Session scope (as well as the related Request and Application scope) is not part of the Standard Scope Cascade: [Local, Arguments], Variables, CGI, URL, Form, Cookie
Igal Sapir
Lucee Core Developer
Lucee.org
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAADZ8V4XtRVZ42cZSF164-QgWXM05VGv4D-S2sT1wne2Tn%3DSsw%40mail.gmail.com.
Pete Freitag
Jun 15, 2015, 9:08:47 PM6/15/15
to lu...@googlegroups.com
Thanks Igal - you are correct in that Railo/Lucee are not susceptible to the session scope example in my blog entry, it does mention that in the entry, but points out that it could be vulnerable to a similar logic issue in code using non built in scopes.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/557F73B7.8020506%40lucee.org.
For more options, visit https://groups.google.com/d/optout.
Geoff Bowers
Jun 15, 2015, 10:11:47 PM6/15/15
to lu...@googlegroups.com, andrew...@gmail.com
On Tuesday, 16 June 2015 07:07:36 UTC+10, Andrew Dixon wrote:
Just to let you all know there is a new blog post from Igal:
That is a great little article.
Pete's post on scope injection great too:
http://www.petefreitag.com/item/834.cfm
Just wanted to say a quick thanks to all involved.
GB
Reply all
Reply to author
Forward
0 new messages