Re: postSizeLimit and postParameterLimit
On Thu, Mar 28, 2013 at 11:26 PM, Justin Hansen jhan...@uhlig.com wrote: There is a bit of a debate going on, I was hoping the community could chime in... What is a reasonable limit for the postSizeLimit and postParameterLimit settings (aka maximum number of form fields)? 100, 1,000, 10,000? Tomcat has a default value of 1 for a somewhat equivalent parameter (maxParameterCount): http://tomcat.apache.org/tomcat-7.0-doc/config/http.html -- Mack ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355194 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: postSizeLimit and postParameterLimit
What is a reasonable limit for the postSizeLimit and postParameterLimit settings (aka maximum number of form fields)? 100, 1,000, 10,000? On the one hand, we have a dynamic form with LOTS of fields. This is/was a business requirement, it grew over time, it hit the limit, again. Of course we could spend days/hours rewriting the code, or we can just up the limit and move on. (Yes, eventually it should get re-written, but that's not the point of this inquiry.) On the other hand, we have security. The security camp says, the lower the better. Is raising the limit from say 5,000 to 6,000 really going to hurt us from a security point of view? How? Why? I have looked around and seen many a blog post about the settings. However, I haven't see any information on what a good rule of thumb should be. Just where should we draw the line? How high is too high and why? It should be a bit larger, at least, than your largest form. That's the only rule of thumb I can give you. The goal of this setting is to prevent submission of large forms that you are presumably not expecting to process. If you allow people to submit very large forms, they could build their own HTTP POST with large amounts of data which may effectively keep your server from doing anything else. But if you actually have large forms that you want to process, that's perfectly reasonable and you should be allowed to do so. I'm a pretty security-conscious person, and I'd recommend you simply increase the limit to allow your current form to work. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355195 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
PCI-Compliance Ding for Non-Random CFID's
Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged for the server(CF) using non-random session id's (CFID's). They found three consecutive CFID'sin use. However, I noticed in the CF documentation that CF-Tokens are random.And I opted for the long-form CF-Tokens in the administrator. Is there a way to use random CFID's or is that what the random CF-Tokens arefor: to provide a pair of variables, that together satisfy randomness requirementsfor sessions? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355196 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: PCI-Compliance Ding for Non-Random CFID's
Turning on use J2EE sessions will give you a cryptographically strong random token. -Cameron On Fri, Mar 29, 2013 at 11:49 AM, Rick Faircloth r...@whitestonemedia.comwrote: Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged for the server(CF) using non-random session id's (CFID's). They found three consecutive CFID'sin use. However, I noticed in the CF documentation that CF-Tokens are random.And I opted for the long-form CF-Tokens in the administrator. Is there a way to use random CFID's or is that what the random CF-Tokens arefor: to provide a pair of variables, that together satisfy randomness requirementsfor sessions? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355197 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: PCI-Compliance Ding for Non-Random CFID's
Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged for the server(CF) using non-random session id's (CFID's). They found three consecutive CFID'sin use. However, I noticed in the CF documentation that CF-Tokens are random. And I opted for the long-form CF-Tokens in the administrator. Is there a way to use random CFID's or is that what the random CF-Tokens are for: to provide a pair of variables, that together satisfy randomness requirements for sessions? I don't think there's any way to control the values issued for CFID. The CFTOKEN values are random and secure if you choose that option in the CF Administrator. But I'd second Cameron's recommendation to use J2EE sessions if you can. You'll get a single token that is secure. Plus, the token will be discarded when the browser is closed. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355198 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Using a variable to dynamically specify table name in CF10?
I am in the process of moving from CF8 to 10. I have a couple of queries where I dynamically specify the table name. For some reason this technique does not work in CF10? So for instance... cfset tblname = cooltbl cfquery name=dblist datasource=#application.ds# SELECT * FROM #tblname# /cfquery Thanks is advance. -- Best Regards, *Marty Franklin* /Information Technology/ *Asset Research Services, Inc.* ma...@assetresearch.com mailto:ma...@assetresearch.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355199 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sublime Text 2
Dave, Great free video course here: https://tutsplus.com/course/improve-workflow-in-sublime-text-2 -- Dan O'Keefe On Thu, Mar 28, 2013 at 10:28 AM, dave d...@northgoods.com wrote: Thanks Mark but I must be missing something. I downloaded the p-ackage control file. What screen must I be in when I do the Ctrl+shift+P? When I do that from the opening screen, a drop down list appears with actions but if I type install nothing shows up and the dropdown list does not include any reference to Package Control. Did I miss something? Dave - Original Message - From: Mark Drew mark.d...@gmail.com To: cf-talk cf-talk@houseoffusion.com Sent: Thursday, March 28, 2013 10:52 AM Subject: Re: Sublime Text 2 Install this: http://wbond.net/sublime_packages/package_control Once you do that just do Ctrl + shift + P Type install' and select Package Control: Install Package then look for cold fusion Sincerely Mark Drew On 28 Mar 2013, at 15:47, dave d...@northgoods.com wrote: I downloaded and installed Sublime Text 2 but I can't locate a CF package. Does anyone have the link to this? Dave ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355200 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Using a variable to dynamically specify table name in CF10?
what is the error ? On Fri, Mar 29, 2013 at 4:40 PM, Marty Franklin ma...@assetresearch.comwrote: I am in the process of moving from CF8 to 10. I have a couple of queries where I dynamically specify the table name. For some reason this technique does not work in CF10? So for instance... cfset tblname = cooltbl cfquery name=dblist datasource=#application.ds# SELECT * FROM #tblname# /cfquery Thanks is advance. -- Best Regards, *Marty Franklin* /Information Technology/ *Asset Research Services, Inc.* ma...@assetresearch.com mailto:ma...@assetresearch.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355201 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: PCI-Compliance Ding for Non-Random CFID's
Most (if not all) PCI scanning vendors will remove it from your report if you explain that the session is based on BOTH the CFID and CFTOKEN values, not just one, as long as you have Use UUID for CFTOKEN enabled (which in CF9/10 is more than just a UUID). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Mar 29, 2013 at 11:49 AM, Rick Faircloth r...@whitestonemedia.comwrote: Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged for the server(CF) using non-random session id's (CFID's). They found three consecutive CFID'sin use. However, I noticed in the CF documentation that CF-Tokens are random.And I opted for the long-form CF-Tokens in the administrator. Is there a way to use random CFID's or is that what the random CF-Tokens arefor: to provide a pair of variables, that together satisfy randomness requirementsfor sessions? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355202 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: PCI-Compliance Ding for Non-Random CFID's
Most (if not all) PCI scanning vendors will remove it from your report if you explain that the session is based on BOTH the CFID and CFTOKEN values, not just one, as long as you have Use UUID for CFTOKEN enabled (which in CF9/10 is more than just a UUID). I can second that, we've run into this before and any QSA who knows what they're doing will put an exception in place for this scenario. Frankly I'm surprised more of them haven't built this in as a rule by default when cfid and cftoken are both present. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355203 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: PCI-Compliance Ding for Non-Random CFID's
Thanks for the reply, Pete... If I remember all of the conversation correctly, when we came to the dingfor consecutive session variables, the scanning vendor rep did mention thefact that a CFToken was involved and that made a difference. I did look upthe information on this in the docs (CF9) and it did mention changing theCFToken to a long format (I didn't want to say UUID because, withoutlooking it up, I wasn't sure that's the way it was labeled). I have changed the CFToken to the long-format, so that should satisfy thevendor. I'm working with Security Metrics, the PCI-Compliance Vendorfor TD Bank. They've been very good about going over all the technicalitiesand offering suggestions and solutions to issues, such as this one. Security Metrics has been good to work with so far and reasonably priced,so I thought I'd give them a shout-out. (btw, I own the company... no justkidding!) I have no connection to them at all. But thanks for the feedback, again, and just fyi, that's the only CF-relatedissue that came up at all in the compliance scan. :o) Rick To: cf-talk@houseoffusion.com Subject: Re: PCI-Compliance Ding for Non-Random CFID's Date: Fri, 29 Mar 2013 13:37:01 -0400 From: p...@foundeo.com Most (if not all) PCI scanning vendors will remove it from your report if you explain that the session is based on BOTH the CFID and CFTOKEN values, not just one, as long as you have Use UUID for CFTOKEN enabled (which in CF9/10 is more than just a UUID). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Mar 29, 2013 at 11:49 AM, Rick Faircloth r...@whitestonemedia.comwrote: Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged for the server(CF) using non-random session id's (CFID's). They found three consecutive CFID'sin use. However, I noticed in the CF documentation that CF-Tokens are random.And I opted for the long-form CF-Tokens in the administrator. Is there a way to use random CFID's or is that what the random CF-Tokens arefor: to provide a pair of variables, that together satisfy randomness requirementsfor sessions? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355204 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Using a variable to dynamically specify table name in CF10?
What is the error message that you receive? -- William Seiter On Mar 29, 2013, at 9:40 AM, Marty Franklin ma...@assetresearch.com wrote: I am in the process of moving from CF8 to 10. I have a couple of queries where I dynamically specify the table name. For some reason this technique does not work in CF10? So for instance... cfset tblname = cooltbl cfquery name=dblist datasource=#application.ds# SELECT * FROM #tblname# /cfquery Thanks is advance. -- Best Regards, *Marty Franklin* /Information Technology/ *Asset Research Services, Inc.* ma...@assetresearch.com mailto:ma...@assetresearch.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355205 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Sublime Text 2
Hi, Dave... Have you tried going through Package Control to look fora CF package? It should show up there. Rick To: cf-talk@houseoffusion.com Subject: Sublime Text 2 Date: Thu, 28 Mar 2013 10:47:30 -0500 From: d...@northgoods.com I downloaded and installed Sublime Text 2 but I can't locate a CF package. Does anyone have the link to this? Dave ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355206 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sublime Text 2
Thanks Rick but I've already installed the package. Now I just have to learn how to use it... and Windows 8. BTW, does anyone know how to toggle back from fullscreen in the IE8 browser? F11 doesn't work in Windows 8 as it did in XP. :-P Thanks anyway. Dave - Original Message - From: Rick Faircloth r...@whitestonemedia.com To: cf-talk cf-talk@houseoffusion.com Sent: Friday, March 29, 2013 4:00 PM Subject: RE: Sublime Text 2 Hi, Dave... Have you tried going through Package Control to look fora CF package? It should show up there. Rick To: cf-talk@houseoffusion.com Subject: Sublime Text 2 Date: Thu, 28 Mar 2013 10:47:30 -0500 From: d...@northgoods.com I downloaded and installed Sublime Text 2 but I can't locate a CF package. Does anyone have the link to this? Dave ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355207 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sublime Text 2
Thanks, I've watched a little and they're very helpful. Dave - Original Message - From: Dan O'Keefe dan.oke...@gmail.com To: cf-talk cf-talk@houseoffusion.com Sent: Friday, March 29, 2013 11:59 AM Subject: Re: Sublime Text 2 Dave, Great free video course here: https://tutsplus.com/course/improve-workflow-in-sublime-text-2 -- Dan O'Keefe On Thu, Mar 28, 2013 at 10:28 AM, dave d...@northgoods.com wrote: Thanks Mark but I must be missing something. I downloaded the p-ackage control file. What screen must I be in when I do the Ctrl+shift+P? When I do that from the opening screen, a drop down list appears with actions but if I type install nothing shows up and the dropdown list does not include any reference to Package Control. Did I miss something? Dave - Original Message - From: Mark Drew mark.d...@gmail.com To: cf-talk cf-talk@houseoffusion.com Sent: Thursday, March 28, 2013 10:52 AM Subject: Re: Sublime Text 2 Install this: http://wbond.net/sublime_packages/package_control Once you do that just do Ctrl + shift + P Type install' and select Package Control: Install Package then look for cold fusion Sincerely Mark Drew On 28 Mar 2013, at 15:47, dave d...@northgoods.com wrote: I downloaded and installed Sublime Text 2 but I can't locate a CF package. Does anyone have the link to this? Dave ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355208 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: PCI-Compliance Ding for Non-Random CFID's
Tell the PCI testing company that the session requires two tokens, CFID and CFTOKEN, and while one is consecutive the other is random. They will place it in their testing as an exception. We have to do this all the time with each new client sigh even when it is the same testing company. We have never had any trouble or blowback on this issue once we tell them. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Friday, March 29, 2013 11:49 AM To: cf-talk Subject: PCI-Compliance Ding for Non-Random CFID's Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged for the server(CF) using non-random session id's (CFID's). They found three consecutive CFID'sin use. However, I noticed in the CF documentation that CF-Tokens are random.And I opted for the long-form CF-Tokens in the administrator. Is there a way to use random CFID's or is that what the random CF-Tokens arefor: to provide a pair of variables, that together satisfy randomness requirementsfor sessions? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355209 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: PCI-Compliance Ding for Non-Random CFID's
Thanks, Dennis! Rick To: cf-talk@houseoffusion.com Subject: RE: PCI-Compliance Ding for Non-Random CFID's Date: Fri, 29 Mar 2013 18:03:23 -0400 From: denn...@uxbinternet.com Tell the PCI testing company that the session requires two tokens, CFID and CFTOKEN, and while one is consecutive the other is random. They will place it in their testing as an exception. We have to do this all the time with each new client sigh even when it is the same testing company. We have never had any trouble or blowback on this issue once we tell them. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355210 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
