"Probable significant bug in ColdFusion 10's (and Railo's) RESTful web services"
164 views
Skip to first unread message
Adam Cameron
Oct 7, 2012, 9:11:28 AM10/7/12
to ra...@googlegroups.com
G'day guys:
This should probably be on your radar: http://adamcameroncoldfusion.blogspot.co.uk/2012/10/probable-significant-bug-in-coldfusion.html. The gist is that REST web service responses don't seem to encode text properly, or cannot be told to do so (as far as I can tell, albeit I really only looked in the context of ColdFusion, not Railo).
Also note my observation about needing to hard-code my admin pwd in Application.cfc if I want to use restInitApplication() in my code. This is... um... "less than ideal", IMO.
Do you want bugs raised for this lot?
Cheers.
--
Adam
This should probably be on your radar: http://adamcameroncoldfusion.blogspot.co.uk/2012/10/probable-significant-bug-in-coldfusion.html. The gist is that REST web service responses don't seem to encode text properly, or cannot be told to do so (as far as I can tell, albeit I really only looked in the context of ColdFusion, not Railo).
Also note my observation about needing to hard-code my admin pwd in Application.cfc if I want to use restInitApplication() in my code. This is... um... "less than ideal", IMO.
Do you want bugs raised for this lot?
Cheers.
--
Adam
Mark Drew
Oct 7, 2012, 12:05:42 PM10/7/12
to ra...@googlegroups.com, AJ Mercer
Not sure, AJ Mercer is totally on top of the Railo REST stuff, so wait till he catches up with his email on monday
Mark Drew
Railo Technologies Professional Open Source
skype: mark_railo ma...@getrailo.com
+44 7971 852296 http://www.getrailo.com
Railo Technologies Professional Open Source
skype: mark_railo ma...@getrailo.com
+44 7971 852296 http://www.getrailo.com
AJ Mercer
Oct 7, 2012, 9:22:27 PM10/7/12
to ra...@googlegroups.com
I will review encoding issue further later (on holidays at the moment), but as for the password in Application.cfc - you only need that id you want to define the rest service in code. You can define the rest service in Railo server/web admin if you prefer not to have the password in code.
--
AJ Mercer
<webonix:net strength="Industrial" /> | <webonix:org community="Open" />
http://twitter.com/webonix
Micha can explain the security implications for the reasoning behind this. He knows ACF10 does not require it and has deliberately added it.
AJ Mercer
<webonix:net strength="Industrial" /> | <webonix:org community="Open" />
http://twitter.com/webonix
Michael Offner
Oct 8, 2012, 2:14:46 AM10/8/12
to ra...@googlegroups.com
The function restinitapplication only need the password, when you create a new mapping with this function. The reason is very simple, this change the persistent configuration of your context, something normally only possible with the tag cfadmin. Changing any configuration in Railo needs a password as long write access is set to protected in the server admin for this context.
How to avoid using this password in application.cfc, of course you can simply set write access to open, then the password is not needed and you have the same security hole like in ACF or you can pass the password as parameter to the function.
/Micha
Von meinem iPad gesendet
/Micha
Von meinem iPad gesendet
Michael Offner
Oct 8, 2012, 2:23:27 AM10/8/12
to ra...@googlegroups.com
Can you please open a ticket for the none ASCII character issue. For the password we could at the possibility to add the password encrypted something like
WebAdminPassword="encrypted:7@8687(&7(";
To get the password you need a new function we have to define.
/Micha
Von meinem iPad gesendet
Von meinem iPad gesendet
Adam Cameron
Oct 8, 2012, 2:32:10 PM10/8/12
to ra...@googlegroups.com
On Monday, October 8, 2012 7:23:33 AM UTC+1, Michael Offner wrote:
Can you please open a ticket for the none ASCII character issue.
Reply all
Reply to author
Forward
0 new messages