RE: encrypt / decrypt question
Leigh, I see what you mean, and your recommendation matches the syntax in the Adobe documentation. But, I think I have accounted for both algorithm and encoding in my statement below -- have I not? cfqueryparam cfsqltype=cf_sql_varchar value=#encrypt(form.CreditCardNumber,GenerateSecretKey(AES, 256),UU)# form.CreditCardNumber -string GenerateSecretKey(AES, 256)--- key, plus algorithm (AES, 256-bit) UU --- encoding Does the GenerateSecretKey function account for both the key and the algorithm? I've been studying the documentation and looking for examples. What am I missing? Thank you again, folks. Eric -Original Message- From: Leigh [mailto:cfsearch...@yahoo.com] Sent: Thursday, November 08, 2012 2:47 PM To: cf-talk Subject: RE: encrypt / decrypt question Any idea what the The UU algorithm is not supported error is about? You skipped the algorithm again ;-) The third argument is the encryption algorithm ie AES. Encoding (ie UU) is the fourth argument. Encrypt(yourString, yourKey, theAlgorithm, theEncoding) - ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353101 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Loss of variables after switch from application.cfm to application.cfc in FB 3 application
That was perfect Matt. Thank you. Nick Return-Path: listmas...@houseoffusion.com Received: from mail.houseoffusion.com [64.118.74.225] by mail67.safesecureweb.com with SMTP; Mon, 5 Nov 2012 15:25:03 -0500 To: cf-talk cf-talk@houseoffusion.com Message-ID: CAKa5oqLv2tFXLzyc2zS=mmu=D3TzGXLE9vEprxisKiOet+S=z...@mail.gmail.com Subject: Re: Loss of variables after switch from application.cfm to application.cfc in FB 3 application References: 355f13cb$34d4cb1f$54e8dc90$@com Date: Mon, 5 Nov 2012 14:24:28 -0600 Precedence: bulk Reply-To: cf-talk@houseoffusion.com From: Matt Quackenbush quackfu...@gmail.com MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Rcpt-To: n.glea...@citysoft.com X-SmarterMail-Spam: SpamAssassin 0 [raw: 0], SPF_None, DK_None X-SmarterMail-TotalSpamWeight: 0 Just a wild guess here: The file in question is being d and the variables it is setting are getting set into the Application.cfc's variables scope, and therefore unavailable elsewhere. On Mon, Nov 5, 2012 at 2:19 PM, Nick Gleason wrote: Hi folks, Bit of a head scratcher here which I'm hoping may be obvious to you all. We've got a Fusebox 3 application which we have recently converted from application.cfm to application.cfc. One puzzling result has been that during a single page request, an attributes variable that is set in a file called from application.cfc (and formerly from application.cfm) is no longer present once we get down the line in the code flow to displaying the page. That is, when we go back to application.cfm, the variable is available down the line for the page display. But, when application.cfc is used, the variable is available when it is first called and set, but then has disappeared by the time the page flow gets to the file where the page display is done. So, it seems that some variables in a single request are not as persistent with application.cfc, at least in a FB 3 context? That seems surprising but I can't really come up with another explanation. And, so far, we haven't been able to figure out exactly where or why the attributes variable is getting dropped. Any thoughts? Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353102 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Loss of variables after switch from application.cfm to application.cfc in FB 3 application
Matt, others, A quick follow up on this. It seems that request variables have no problem persisting if called / set within an application.cfc. Is that right? Nick Return-Path: listmas...@houseoffusion.com Received: from mail.houseoffusion.com [64.118.74.225] by mail67.safesecureweb.com with SMTP; Mon, 5 Nov 2012 15:25:03 -0500 To: cf-talk cf-talk@houseoffusion.com Message-ID: CAKa5oqLv2tFXLzyc2zS=mmu=D3TzGXLE9vEprxisKiOet+S=z...@mail.gmail.com Subject: Re: Loss of variables after switch from application.cfm to application.cfc in FB 3 application References: 355f13cb$34d4cb1f$54e8dc90$@com Date: Mon, 5 Nov 2012 14:24:28 -0600 Precedence: bulk Reply-To: cf-talk@houseoffusion.com From: Matt Quackenbush quackfu...@gmail.com MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Rcpt-To: n.glea...@citysoft.com X-SmarterMail-Spam: SpamAssassin 0 [raw: 0], SPF_None, DK_None X-SmarterMail-TotalSpamWeight: 0 Just a wild guess here: The file in question is being d and the variables it is setting are getting set into the Application.cfc's variables scope, and therefore unavailable elsewhere. On Mon, Nov 5, 2012 at 2:19 PM, Nick Gleason wrote: Hi folks, Bit of a head scratcher here which I'm hoping may be obvious to you all. We've got a Fusebox 3 application which we have recently converted from application.cfm to application.cfc. One puzzling result has been that during a single page request, an attributes variable that is set in a file called from application.cfc (and formerly from application.cfm) is no longer present once we get down the line in the code flow to displaying the page. That is, when we go back to application.cfm, the variable is available down the line for the page display. But, when application.cfc is used, the variable is available when it is first called and set, but then has disappeared by the time the page flow gets to the file where the page display is done. So, it seems that some variables in a single request are not as persistent with application.cfc, at least in a FB 3 context? That seems surprising but I can't really come up with another explanation. And, so far, we haven't been able to figure out exactly where or why the attributes variable is getting dropped. Any thoughts? Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353103 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Loss of variables after switch from application.cfm to application.cfc in FB 3 application
Depending upon where/how they're called/set, that is true. No problem at all setting/calling request.foo within Application.cfc. On Thu, Nov 8, 2012 at 7:55 PM, Nick Gleason n.glea...@citysoft.com wrote: Matt, others, A quick follow up on this. It seems that request variables have no problem persisting if called / set within an application.cfc. Is that right? Nick Return-Path: listmas...@houseoffusion.com Received: from mail.houseoffusion.com [64.118.74.225] by mail67.safesecureweb.com with SMTP; Mon, 5 Nov 2012 15:25:03 -0500 To: cf-talk cf-talk@houseoffusion.com Message-ID: CAKa5oqLv2tFXLzyc2zS=mmu=D3TzGXLE9vEprxisKiOet+S=z...@mail.gmail.com Subject: Re: Loss of variables after switch from application.cfm to application.cfc in FB 3 application References: 355f13cb$34d4cb1f$54e8dc90$@com Date: Mon, 5 Nov 2012 14:24:28 -0600 Precedence: bulk Reply-To: cf-talk@houseoffusion.com From: Matt Quackenbush quackfu...@gmail.com MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Rcpt-To: n.glea...@citysoft.com X-SmarterMail-Spam: SpamAssassin 0 [raw: 0], SPF_None, DK_None X-SmarterMail-TotalSpamWeight: 0 Just a wild guess here: The file in question is being d and the variables it is setting are getting set into the Application.cfc's variables scope, and therefore unavailable elsewhere. On Mon, Nov 5, 2012 at 2:19 PM, Nick Gleason wrote: Hi folks, Bit of a head scratcher here which I'm hoping may be obvious to you all. We've got a Fusebox 3 application which we have recently converted from application.cfm to application.cfc. One puzzling result has been that during a single page request, an attributes variable that is set in a file called from application.cfc (and formerly from application.cfm) is no longer present once we get down the line in the code flow to displaying the page. That is, when we go back to application.cfm, the variable is available down the line for the page display. But, when application.cfc is used, the variable is available when it is first called and set, but then has disappeared by the time the page flow gets to the file where the page display is done. So, it seems that some variables in a single request are not as persistent with application.cfc, at least in a FB 3 context? That seems surprising but I can't really come up with another explanation. And, so far, we haven't been able to figure out exactly where or why the attributes variable is getting dropped. Any thoughts? Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353104 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Post Office mailing Barcode
Hi folks Anyone know of a US Post Office barcode creator that would run with coldfusion and mysql. Thanks Rob ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353105 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Displaying flash on a site where script protect is enabled?
I know this has been discussed before but I'm not finding a clear answer online to the question of whether it is possible to use flash on a site where the script protect / invalidtag feature has been turned on. We would like to keep this security feature turned on generally, but if that means that it is not possible for clients to put flash files on their pages in our CMS, that is a pretty steep trade off. Are there ways around this? Also, our experience is that some older pages that have flash working - presumably from before the script protect feature was turned on - are still working fine (despite having script protect on). So, that is a bit of a surprise. Any brilliant ideas? Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353106 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
Does the GenerateSecretKey function account for both the key and the algorithm? No - not the way you are thinking. You need to supply the algorithm twice. Once when generating the key _and_ once when performing the encryption. To better illustrate: !--- generate a key suitable for AES --- cfset theKey = GenerateSecretKey(AES, 256) !--- now do the actual encryption using the AES algorithm --- cfset result = encrypt(form.CreditCardNumber, ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353107 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Displaying flash on a site where script protect is enabled?
I know this has been discussed before but I'm not finding a clear answer online to the question of whether it is possible to use flash on a site where the script protect / invalidtag feature has been turned on. Yes, you certainly can use Flash with SCRIPTPROTECT. The two are not really related. All SCRIPTPROTECT does is examine data from the browser to see if it contains client-side executable functionality. We would like to keep this security feature turned on generally, but if that means that it is not possible for clients to put flash files on their pages in our CMS, that is a pretty steep trade off. Are there ways around this? Not really. If you want people to be able to put client-side executable content in HTML pages, that defeats the purpose of using SCRIPTPROTECT. You could write a CMS widget to accept parameters from the client and have that build a snippet of HTML that uses those parameters with Flash Player, though. Also, our experience is that some older pages that have flash working - presumably from before the script protect feature was turned on - are still working fine (despite having script protect on). So, that is a bit of a surprise. That should not be a surprise. Again, all SCRIPTPROTECT does is limit the ability of users to upload data that could later execute in another user's browser. You might want to read a bit about XSS vulnerabilities to see what it's supposed to protect you against. All that said, SCRIPTPROTECT only provides limited protection against those vulnerabilities. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353108 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
latest Adobe-approved 1.6 JDK ?
Hi, our security folks have asked for something more recent that the Adobe approval for JDK 1.6.0_24 here http://helpx.adobe.com/coldfusion/kb/oracle-security-alert-cve-2010.html We haven't found anything yet, and am attempting to contact Adobe. What is the most recent version of 1.6 that Adobe has documented approval for? many thanks Chris ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353109 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: latest Adobe-approved 1.6 JDK ?
Adobe no longer Approves minor point versions. ALL 1.6.0_nn versions are supported. Make sure you have something past 1.6.0_24. Enjoy Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Nov 9, 2012, at 12:10 PM, Chris 0404tow...@gmail.com wrote: Hi, our security folks have asked for something more recent that the Adobe approval for JDK 1.6.0_24 here http://helpx.adobe.com/coldfusion/kb/oracle-security-alert-cve-2010.html We haven't found anything yet, and am attempting to contact Adobe. What is the most recent version of 1.6 that Adobe has documented approval for? many thanks Chris ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353110 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: latest Adobe-approved 1.6 JDK ?
Adobe support anything 1.6. I don't have an official page to point you to, but if you search CF-Talk and/or Google I expect you'll find it pretty quickly. On Fri, Nov 9, 2012 at 12:10 PM, Chris 0404tow...@gmail.com wrote: Hi, our security folks have asked for something more recent that the Adobe approval for JDK 1.6.0_24 here http://helpx.adobe.com/coldfusion/kb/oracle-security-alert-cve-2010.html We haven't found anything yet, and am attempting to contact Adobe. What is the most recent version of 1.6 that Adobe has documented approval for? many thanks Chris ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353111 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: latest Adobe-approved 1.6 JDK ? (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: FOUO Ours are using 1.6 version 37 in CF 9 and 10 -Original Message- From: Chris [mailto:0404tow...@gmail.com] Sent: Friday, November 09, 2012 1:10 PM To: cf-talk Subject: latest Adobe-approved 1.6 JDK ? Hi, our security folks have asked for something more recent that the Adobe approval for JDK 1.6.0_24 here http://helpx.adobe.com/coldfusion/kb/oracle-security-alert-cve-2010.html We haven't found anything yet, and am attempting to contact Adobe. What is the most recent version of 1.6 that Adobe has documented approval for? many thanks Chris ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353112 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Displaying flash on a site where script protect is enabled?
Hi Dave, Many thanks for the response. In our case, we have portcullis and some other filters built into the system, so my hope is that we are secure. Perhaps script protect is not adding a lot. Since we user a web editor in a number of places in our system, my ideal scenario would probably be to enable super user admins to use tags like embed to display flash on a page but restrict it in other scenarios where there might be more risk (e.g. on the front end of a web site). How would you handle that kind of requirement? Would script protect be part of it? Nick Return-Path: listmas...@houseoffusion.com Received: from mail.houseoffusion.com [64.118.74.225] by mail67.safesecureweb.com with SMTP; Fri, 9 Nov 2012 12:57:32 -0500 To: cf-talk cf-talk@houseoffusion.com Message-ID: CACi=xsygd-o9a6bbq2mthouue9yg5a5odjm+z_ptuxo-p8d...@mail.gmail.com Subject: Re: Displaying flash on a site where script protect is enabled? References: 57df5e8$4a2f66a1$2589ee8$@com Date: Fri, 9 Nov 2012 12:50:36 -0500 Precedence: bulk Reply-To: cf-talk@houseoffusion.com From: Dave Watts dwa...@figleaf.com MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Rcpt-To: n.glea...@citysoft.com X-SmarterMail-Spam: SpamAssassin 0 [raw: 0], SPF_None, DK_None X-SmarterMail-TotalSpamWeight: 0 I know this has been discussed before but I'm not finding a clear answer online to the question of whether it is possible to use flash on a site where the script protect / invalidtag feature has been turned on. Yes, you certainly can use Flash with SCRIPTPROTECT. The two are not really related. All SCRIPTPROTECT does is examine data from the browser to see if it contains client-side executable functionality. We would like to keep this security feature turned on generally, but if that means that it is not possible for clients to put flash files on their pages in our CMS, that is a pretty steep trade off. Are there ways around this? Not really. If you want people to be able to put client-side executable content in HTML pages, that defeats the purpose of using SCRIPTPROTECT. You could write a CMS widget to accept parameters from the client and have that build a snippet of HTML that uses those parameters with Flash Player, though. Also, our experience is that some older pages that have flash working - presumably from before the script protect feature was turned on - are still working fine (despite having script protect on). So, that is a bit of a surprise. That should not be a surprise. Again, all SCRIPTPROTECT does is limit the ability of users to upload data that could later execute in another user's browser. You might want to read a bit about XSS vulnerabilities to see what it's supposed to protect you against. All that said, SCRIPTPROTECT only provides limited protection against those vulnerabilities. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353113 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
My response got cut off.. Here is the full snippet... assuming it goes through ;-) http://pastebin.com/fPLcU3Kd -Leigh ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353114 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: latest Adobe-approved 1.6 JDK ?
http://blogs.coldfusion.com/post.cfm/minor-java-upgrades-in-coldfusion On Friday, 9 November 2012, Chris 0404tow...@gmail.com wrote: Hi, our security folks have asked for something more recent that the Adobe approval for JDK 1.6.0_24 here http://helpx.adobe.com/coldfusion/kb/oracle-security-alert-cve-2010.html We haven't found anything yet, and am attempting to contact Adobe. What is the most recent version of 1.6 that Adobe has documented approval for? many thanks Chris ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353115 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
Leigh, that makes abundant sense. Thank you very much. As always. Eric -Original Message- From: Leigh [mailto:cfsearch...@yahoo.com] Sent: Friday, November 09, 2012 1:37 PM To: cf-talk Subject: RE: encrypt / decrypt question My response got cut off.. Here is the full snippet... assuming it goes through ;-) http://pastebin.com/fPLcU3Kd -Leigh ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353116 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Read / Serve a file with CFHEADER
Since I can't password protect a zip file I need to protect, I'm trying a different approach. I build the file, read the content with CFFILE (this works), delete the file, then try to server it out with CFHEADER. When I have a physical file CFHEADER serves it fine, but when I try to serve it from the CFFILE READ variable it don't serve. Any idea what I'm doing wrong? cfset getfile=mypath\myfile.zip cfset file_size=getFileInfo(getfile).size cffile action=read file=#getfile# variable=serve_file (This works; I can dump the file var and binary content is there) ... would delete the file here... To serve the file: cfheader name=Content-Disposition value=attachment;filename= myfile.zip cfheader name=Content-Length value=#file_size# cfcontent type=application/zip file=#serve_file# (if I use the path to the physical file this works; but it bombs with the file data in the var server_file) cfheader name=Pragma value=no-cache cfheader name=Expires value=#Now()# cfheader name=cache-control value=no-cache, no-store, must-revalidate, max-age=0 Anyone see what I'm doing wrong here? Thanks Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353117 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Read / Serve a file with CFHEADER
When I have a physical file CFHEADER serves it fine, but when I try to serve it from the CFFILE READ variable it don't serve. Any idea what I'm doing wrong? cfset getfile=mypath\myfile.zip cfset file_size=getFileInfo(getfile).size cffile action=read file=#getfile# variable=serve_file (This works; I can dump the file var and binary content is there) ... would delete the file here... To serve the file: cfheader name=Content-Disposition value=attachment;filename= myfile.zip cfheader name=Content-Length value=#file_size# cfcontent type=application/zip file=#serve_file# (if I use the path to the physical file this works; but it bombs with the file data in the var server_file) cfheader name=Pragma value=no-cache cfheader name=Expires value=#Now()# cfheader name=cache-control value=no-cache, no-store, must-revalidate, max-age=0 Anyone see what I'm doing wrong here? The FILE attribute of CFCONTENT requires a path to a file. If you want to serve content from a variable, don't use the FILE attribute: cfcontent type=...cfoutput#toBase64(your binary content)#/cfoutput Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353118 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: latest Adobe-approved 1.6 JDK ?
Found an Adobe page from last month. Thanks everybody: http://helpx.adobe.com/coldfusion/kb/upgrading-java-coldfusion.html ColdFusion Help http://www.adobe.com/support/coldfusion/ / Upgrade Java for ColdFusion Issue Oracle releases Java updates periodically. How do you handle these updates in the context of ColdFusion? Go ahead and upgrade. All ColdFusion users can upgrade Java to the latest minor version for their ColdFusion servers. For example, ColdFusion customers using jdk 1.6.0_x can upgrade to the latest jdk 1.6.0_x update. (At the time of writing, the current version is jdk 1.6.0_35.) All future JDK 1.6.0_x releases are supported. For the supported ColdFusion versions, Adobe supports all minor releases of Java. For example, if ColdFusion supports JDK 1.6.0, all JDK 1.6.0_x updates are supported. JDK 1.7.0 is not considered a minor Java release. Unless explicitly stated that ColdFusion supports JDK 1.7.0, you cannot upgrade to any Java 1.7.0_x update. Keywords: cpsid_92330 It took a little while to find the Sun Java.com downloads page for 1.6.0_37 (the highest release for 1.6.0) http://www.oracle.com/technetwork/java/javase/downloads/jdk6u37-downloads-1859587.html Regards, Chris On Fri, Nov 9, 2012 at 1:13 PM, Matt Quackenbush quackfu...@gmail.comwrote: Adobe support anything 1.6. I don't have an official page to point you to, but if you search CF-Talk and/or Google I expect you'll find it pretty quickly. On Fri, Nov 9, 2012 at 12:10 PM, Chris 0404tow...@gmail.com wrote: Hi, our security folks have asked for something more recent that the Adobe approval for JDK 1.6.0_24 here http://helpx.adobe.com/coldfusion/kb/oracle-security-alert-cve-2010.html We haven't found anything yet, and am attempting to contact Adobe. What is the most recent version of 1.6 that Adobe has documented approval for? many thanks Chris ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353119 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Displaying flash on a site where script protect is enabled?
Many thanks for the response. In our case, we have portcullis and some other filters built into the system, so my hope is that we are secure. If one user is able to inject commands to run client-side executable code, and those commands get executed when another user views the content created by the first user, your site contains an XSS vulnerability. Perhaps script protect is not adding a lot. Since we user a web editor in a number of places in our system, my ideal scenario would probably be to enable super user admins to use tags like embed to display flash on a page but restrict it in other scenarios where there might be more risk (e.g. on the front end of a web site). How would you handle that kind of requirement? Would script protect be part of it? If you're able to completely trust authenticated users not to do malicious things, you don't need to worry about XSS vulnerabilities, I guess. The problem with SCRIPTPROTECT is that it's fairly easy to bypass. I recommend you read this: http://www.12robots.com/index.cfm/2010/3/1/A-warning-about-ColdFusions-scriptProtect Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353120 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Read / Serve a file with CFHEADER
Thanks Dave. That works. Now I build the file, read the file as binary, delete the physical file, and serve the file from memory. It's secure I don't have to worry about leaving unprotected data on disk. cfset getfile=#application.rootpath#\admin\custom1\tempfiles\#file_name#.zip cfset file_size=#getFileInfo(getfile).size# cffile action=readBinary file=#getfile# variable=serve_file cfdirectory action=list directory=#application.rootpath#\admin\custom1\tempfiles\ name=to_purge cfloop query=to_purge cffile action=delete file=#application.rootpath#\admin\custom1\tempfiles\#to_purge.name# /cfloop cfheader name=Content-Disposition value=attachment;filename=#file_name#.zip cfheader name=Content-Length value=#file_size# cfcontent type=application/zip variable=#serve_file# cfheader name=Pragma value=no-cache cfheader name=Expires value=#Now()# cfheader name=cache-control value=no-cache, no-store, must-revalidate, max-age=0 Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353121 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Post Office mailing Barcode
you should be able to use any java library, I have seen several people using this one with CF. http://sourceforge.net/projects/barbecue/ On Fri, Nov 9, 2012 at 5:07 PM, Rob Voyle robvo...@voyle.com wrote: Hi folks Anyone know of a US Post Office barcode creator that would run with coldfusion and mysql. Thanks Rob ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353122 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: JRun Console dies with ELContext error
Hi Dave, In the short term, all we need to do is configure a JRun datasource (to Oracle RAC, configuring it like the CF Other with a generic JDBC URL). I hadn't thought to do that outside of the console. I'll look around for info. In the long run we'd like to get the console working again, of course, and I like that way you're thinking. Chris On Thu, Nov 8, 2012 at 5:21 PM, Dave Watts dwa...@figleaf.com wrote: We have (another :-) weird thing happening -- the JRun Console doesn't work, and gives the below ELContext error. The cfusion, admin, and samples server instances are fine and run with no issue. But we can't manage anything from the JRun console. What are you trying to do from the JRun console exactly? Many tasks can be done without going in there. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353123 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
General Assembly Career Fair - NYC
Does anyone know where the career fair is being held tomorrow? Gil ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353124 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: General Assembly Career Fair - NYC
I'm guessing that was meant for a different list? :-) On Fri, Nov 9, 2012 at 5:07 PM, Gilbert Midonnet g...@glmdesigns.com wrote: Does anyone know where the career fair is being held tomorrow? Gil ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353125 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
cf.Objective() 2013
http://www.quackfuzed.com/index.cfm/2012/11/10/cfObjective-2013-Call-for-Speakers ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353126 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
Leigh, Wil, and Pete: to follow up. This code seems to be working very well to encrypt a credit card number: !--- set default value for variable 'result' in case no value is entered for CreditCardNumber --- cfparam name=result default= !--- generate a key suitable for AES --- cfset theKey = GenerateSecretKey(AES, 256) !--- now do the actual encryption using the AES algorithm --- cfset result = encrypt(form.CreditCardNumber, theKey, AES, UU) !--- update statement --- CreditCardNumber = cfqueryparam cfsqltype=cf_sql_varchar value=#result#, I will use the same logic to create the decrypt statement. Thank you, again. Have a good evening. Eric -Original Message- From: Leigh [mailto:cfsearch...@yahoo.com] Sent: Friday, November 09, 2012 1:37 PM To: cf-talk Subject: RE: encrypt / decrypt question My response got cut off.. Here is the full snippet... assuming it goes through ;-) http://pastebin.com/fPLcU3Kd -Leigh ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353127 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm