ColdFusion Scheduled Tasks Failing with 403 Forbidden Error (Cloudflare Issue)

by

My company recently experienced an issue where all of the scheduled tasks in CFADMIN were failing. The first step I took to troubleshoot the issue was to check the scheduler.log log file. Each task had 2 lines in the log file. The first line indicated that the task had been triggered. The second line indicated an error of 403 Forbidden.

"Information","DefaultQuartzScheduler_Worker-3","11/08/24","07:00:00","","Task DEFAULT.NIGHTLY CLEANUP JOB triggered."
"Error","DefaultQuartzScheduler_Worker-3","11/08/24","07:00:00","","403 Forbidden"

Since no permissions had been changed on the server this was a perplexing error. The next step that I took was to execute one of the task URLs from a web browser on the sever. The task completed successfully. This led me to try to obtain more information about CFADMIN running the task so I enabled Save output to file under the Publish section of the Scheduled Task and specified a file to output the result.

CFADMIN Scheduled Task Log to File
CFADMIN Scheduled Task Log to File

Once this setting was in place I executed the task again from CFADMIN > Server Settings > Scheduled Tasks and checked the log file. The log file contained the text error code: 1010.

CFADMIN Scheduled Task Log to File result
CFADMIN Scheduled Task Log to File result

Researching error code: 1010 led me to several articles regarding Cloudfare blocking access to a site based on the browser signature.

This narrowed the issue to either an issue with Cloudfare or the task not running correctly when executed by ColdFusion. I decided to try execute the URL from a ColdFusion cfhttp call using the following basic script.

The task completed successfully when called from cfhttp. Below is a dump of the result:

Dump of cfhttp
Dump of cfhttp

The issue therefore seemed to be narrowed to the fact that Cloudfare was rejecting calls to URLs from the CFADMIN (apparently based on an issue with the browser signature). The browser signature is examined at Cloudfare by a Browser Integrity Check (BIC) as a component of a WAF.

A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others.

Read more about Cloudfare’s WAF.

You can create a custom WAF rule to turn off the Browser Integrity Check (BIC). First, use the Go to navigation to search for WAF and choose Security | WAF | Custom Rules:

WAF Go to
WAF Go to

Next, click the Create rule button to begin. Our solution will use the following settings to disable the BIC on requests only from our server IP to scripts residing in a certain directory:

  • For the `Field` select `IP Source Address`, for `Operator` select `equals` and enter the IP address of your server as the `Value` (this will allow the rule to only apply to requests from your server).
  • Click the `And` button to add another row.
  • For the `Field` select `URI Path`, for `Operator` select `wildcard` and and enter the directory of your scheduled tasks as the `Value` (this will allow a single rule to apply to multiple task scripts in the directory). Notice the directory uses a wildcard at the end `/jobs/*`.
  • For the `Choose action` select `skip`.
  • Select `On` for `Log matching requests`.
  • Under `WAF components to skip` check `Browser Integrity Check` (you may need to click the `More components to skip` link to locate it).
  • Click the `Deploy` button to enable the rule immediately.
WAF Create rule
WAF Create rule

You can view the logging of the Firewall events. First, use the Go to navigation to search for Events and choose Security | Events:

Events Go to
Events Go to

As you can see the previously blocked requests via CFADMIN are now allowed at Cloudfare via a Skip action using Custom rules.

Firewall events
Firewall events

ColdFusion unscoped variables and how to find them (using the new patch)

by

On March 12, 2024 ColdFusion (2021 release) Update 13 introduced a change with significant implications for developers, particularly for developers managing older code that could be “leveraging” a “feature” of ColdFusion whereby ColdFusion would forgivingly “search” through scopes in a specific order if a variable name is not prefixed with a scope identifier.

Rather than re-explain all the details here, Pete Freitag has a great write-up of the unscoped variable issue.

The release notes for the update also contain a section titled Significant changes in the release which details the issue and provides 2 options for “fixing” the issue.

Option 1: Correct application code to fetch values from the correct scope.

This option is obviously the ideal one, but how do you locate the offending code? If you are fortunate enough to use Fixinator there is an option to scan for the issue. See this post for how to use Fixinator.

If you don’t have Fixinator you can implement Option 2 and then use the new patch provided by Adobe to help find issues.

Option 2: Set searchimplicitscopes value back to TRUE.

This can be accomplished by doing the following:

  • Add the newly introduced flag, -Dcoldfusion.searchimplicitscopes=true to the jvm arguments
  • Set searchimplicitscopes key to TRUE in Application.cfc or Application.cfm to override the jvm flag set at the server level: this.searchimplicitscopes = true

Using the patch to find issues

Once you have Option 2 in place Adobe introduced a patch on April 1, 2024 to allow developers to view unscoped variables in a log file.

Link to the patch: https://helpx.adobe.com/coldfusion/kb/view-unscoped-variables-log-file.html

How to apply the patch

  1. Copy the patch to cfusion/lib/updates.
  2. Restart ColdFusion.

Once I had the patch in place I went to my application and just started using it. Within the first view pages the log file had entries.

How to view the log file

Navigate to the /cfusion/logs and locate the log file: unscoped.log. The unscoped variable is appended to the template name as :VARIABLENAME


"Severity","ThreadID","Date","Time","Application","Message"
"Information","XNIO-1 task-2","04/09/24","09:32:12","applicationName","/pathToApp/render.cfm:BTNSUBMIT"
"Information","XNIO-1 task-1","04/09/24","09:34:36","applicationName","/pathToApp/add.cfm:BTNSUBMIT"
"Information","XNIO-1 task-2","04/09/24","09:35:24","applicationName","/pathToApp/edit.cfm:DETAILID"
"Information","XNIO-1 task-2","04/09/24","09:35:24","applicationName","/pathToApp/edit.cfm:DETAILID"
"Information","XNIO-1 task-2","04/09/24","09:35:30","applicationName","/pathToApp/edit.cfm:BTNSUBMIT"
"Information","XNIO-1 task-2","04/09/24","09:35:49","applicationName","/pathToApp/received.cfm:BTNSUBMIT"
"Information","XNIO-1 task-3","04/09/24","09:41:06","applicationName","/pathToApp/note.cfm:BTNSUBMIT"

I’m going to implement this workflow and monitor the unscoped.log file daily to make corrections. Once some of the issues are identified in the unscoped.log file it becomes easier to use find/replace for common issues in the codebase.

For additional reading here is a good ColdFusion forum post: View unscoped variables in a log file

How to use the Microsoft JDBC Driver for SQL Server in ColdFusion

by

I recently had an issue where the datasources using the Microsoft SQL Server Driver in ColdFusion were failing. The error was:

java.sql.SQLException: Timed out trying to establish connection

There was no change with the database server. For some reason the driver was just not connecting. This led to an exploration of connecting using JDBC both with the Adobe jar included with ColdFusion and by downloading the Microsoft JDBC Driver for SQL Server.

Using the Microsoft JDBC Driver for SQL Server

First you must obtain the driver and make it available to ColdFusion:

To create a JDBC data source to connect to an MS SQL Server database in ColdFusion:

  • Login to CFADMIN
  • Navigate to the Data & Services tab in CFADMIN
  • Enter a Datasource Name: developmentServerJDBC
  • For Driver choose: Other
  • Click: Add

On the ensuing page enter the additional information (change to your info):

  • CF Data Source Name: developmentServerJDBC
  • JDBC URL: jdbc:sqlserver://developmentServer:databaseName=developmentDatabase;Port=1433;encrypt=false;
  • Driver Class: com.microsoft.sqlserver.jdbc.SQLServerDriver
  • Driver Name: mssql-jdbc
  • User name: developmentUser
  • Password: ************
  • Description (optional): Uses Microsoft jar file

Using ColdFusion’s Microsoft SQL Server Driver

To create a data source to connect to an MS SQL Server database in ColdFusion:

  • Login to CFADMIN
  • Navigate to the Data & Services tab in CFADMIN
  • Enter a Datasource Name: developmentServer
  • For Driver choose: Microsoft SQL Server
  • Click: Add

On the ensuing page enter the additional information (change to your info):

  • CF Data Source Name: developmentServer
  • Database: developmentDatabase
  • Server: developmentServer
  • Port 1433
  • User name: developmentUser
  • Password: ************
  • Description (optional): Uses ColdFusion's Microsoft SQL Server Driver

BONUS: Using ColdFusion’s Microsoft SQL Server Driver with JDBC

To create a JDBC data source to connect to an MS SQL Server database in ColdFusion:

  • Login to CFADMIN
  • Navigate to the Data & Services tab in CFADMIN
  • Enter a Datasource Name: developmentServerMicrosoftJDBC
  • For Driver choose: Other
  • Click: Add

On the ensuing page enter the additional information (change to your info):

  • CF Data Source Name: developmentServerMicrosoftJDBC
  • JDBC URL: jdbc:sqlserver://developmentServer:databaseName=developmentDatabase;Port=1433;encrypt=false;
  • Driver Class: macromedia.jdbc.MacromediaDriver
  • Driver Name: macromedia-jdbc
  • User name: developmentUser
  • Password: ************
  • Description (optional): Uses Adobe jar file

ACF Bug CF-4219847 (GENERATEDKEY and IDENTITYCOL are not returned)

by

ACF Bug CF-4219847 (GENERATEDKEY and IDENTITYCOL are not returned when performing an insert using MSSQL Symmetric Keys)

Filed as ACF bug CF-4219847.

This is not a bug in Lucee and functions as expected.

This demo illustrates that GENERATEDKEY and IDENTITYCOL are not returned when performing an insert using MSSQL Symmetric Keys.

ColdFusion 2023

ColdFusion 2023 IDENTITYCOL CF-4219847
ColdFusion 2023 IDENTITYCOL CF-4219847

ColdFusion 2021

ColdFusion 2021 IDENTITYCOL CF-4219847
ColdFusion 2021 IDENTITYCOL CF-4219847

Lucee 6

Lucee 6 IDENTITYCOL CF-4219847
Lucee 6 IDENTITYCOL CF-4219847

Code to Reproduce:

ACF Bug CF-4219348 (cfdirectory Filter: The importance of filter order)

by

UPDATE

This bug has been FIXED by Adobe in Build No: 2023.0.0.330651!

Filed as ACF bug CF-4219348.

This is not a bug in Lucee and functions as expected.

This demo illustrates the importance of filter order for cfdirectory in ACF.

A directory contains the following files:

  • this-is-a-doc.doc
  • this-is-a-docm.docm
  • this-is-a-docx.docx
  • this-is-a-xls.xls
  • this-is-a-xlsm.xlsm
  • this-is-a-xlsx.xlsx

The filter attribute of cfdirectory accepts a pipe delimited list. When a 3 digit file extension precedes a 4 digit file extension in the filter attribute of cfdirectory (and the extensions share the same first 3 characters) only files with the 3 digit extension are included. You could use an astericks () on the front and the back of the extension (.doc*) to retrieve both .doc and .docx, but this could also include additional files you don’t want to retrieve such as .docm files. The same is true for .xls, .xlsx, and .xlsm files.

Option 1: Filter (.doc|.docx|.xls|.xlsx): Returns 2 files: this-is-a-doc.doc, this-is-a-xls.xls

directory-filter-ACF-option-1

Option 2: Filter (.docx|.doc|.xlsx|.xls): Returns 4 files: this-is-a-doc.doc, this-is-a-docx.docx, this-is-a-xls.xls, this-is-a-xlsx.xlsx

directory-filter-ACF-option-2

Option 3: Filter(.doc|.xls): Returns 6 files: this-is-a-doc.doc, this-is-a-docm.docm, this-is-a-docx.docx, this-is-a-xls.xls, this-is-a-xlsm.xlsm, this-is-a-xlsx.xlsx

directory-filter-ACF-option-3

Code to Reproduce:

Using cfpm in CommandBox to List packages, Install a package, Export package list

by

Method 1

This example assumes you are running ColdFusion 2021 via CommandBox.

Launch CommandBox and run the following command(s):

> set CFPM_SERVER=YOUR_SERVER_NAME
> cfpm list
> cfpm install <cfpackagename>
> cfpm export path/to/packages.txt
> env clear CFPM_SERVER

Method 2

This example assumes you are NOT running ColdFusion via CommandBox. It assumes you are running a default installation of ColdFusion 2021 (Path is for Windows).

Launch CommandBox and run the following command(s):

> !C:\ColdFusion2021\cfusion\bin\cfpm.bat list
> !C:\ColdFusion2021\cfusion\bin\cfpm.bat install <cfpackagename>
> !C:\ColdFusion2021\cfusion\bin\cfpm.bat C:\path\to\packages.txt

Run CommandBox directly inside VSCode Terminal

by
Run CommandBox directly inside VSCode Terminal

Initially I looked at the CommandBox documentation for running it inside VSCode: https://commandbox.ortusbooks.com/ide-integrations/visual-studio-code. However, the Shell Launcher extension was deprecated in favor of Terminal Profiles in the Integrated Terminal (VSCode >= v1.55). See this article: https://code.visualstudio.com/updates/v1_55#_terminal-profiles.

Set up a Terminal Profile for CommandBox:

  1. Open VSCode Preferences > Settings
  2. Search for terminal.integrated.profiles.osx (Replace osx with windows or linux based on your os)
  3. Click “edit in settings.json”
  4. Add the following under terminal.integrated.profiles.osx
    "CommandBox": {
        "source": "path/to/box"
    }
  1. Close and save settings.json

Launch CommandBox from VSCode terminal

  1. Press Cmd + Shift + P or Ctrl + Shift + P to launch the Command Palette
  2. Begin typing Terminal
  3. When you see Create New Terminal (With Profile) press Enter
  4. Under Select the terminal profile to create you should see the CommandBox profile you created. Select it with the down arrow key and press Enter
  5. CommandBox should launch in the terminal window

Adobe Dreamweaver Cleanup

by

I used Adobe Dreamweaver for probably close to a decade. I have since moved on to VSCode, but I still maintain several old sites built with Dreamweaver. Since no one in our organization uses Dreamweaver I finally decided it was time to remove the extra directories and files associated with Dreamweaver. This involved cleaning up both the server and my local Mac.

Following are instructions for removing Adobe Dreamweaver directories and files from a Windows server and a local Mac. I recommend logging and reviewing what’s being cleaned up before deleting, but if Danger is your middle name feel free to skip it.

Server Side (Windows)

Note: Server Side instructions assumes you are running the command(s) from the directory you want to clean up.

Directories (_baks,_notes,_mm,MMWIP)

Log all occurrences of the directories to c:\directories-log.txt

for /d /r . %d in (_baks,_notes,_mm,MMWIP) do @if exist "%d" echo "%d" > c:\directories-log.txt

Delete all occurrences of the directories

for /d /r . %d in (_baks,_notes,_mm,MMWIP) do @if exist "%d" rd /s/q "%d"

Files (*.LCK)

Log all occurrences of the files to c:\files-log.txt

dir /s/b *.LCK > c:\files-log.txt

Delete all occurrences of the files

del /f *.LCK

Local (Mac OSX)

Note: Local instructions assume you are running the command(s) on a directory you want to clean up located in /Users/developer/website

Directories (_baks,_notes,_mm,MMWIP)

Log all occurrences of the directories to ~/log.txt

find /Users/developer/website -name '_notes' -o -name '_baks' -o -name '_mm' -type d > ~/directories-log.txt

Unlock all files in the directories (to avoid “Operation not permitted” error on locked files)

find /Users/developer/website -name '_notes' -o -name '_baks' -o -name '_mm' -type d | xargs chflags -R nouchg

Delete all occurrences of the directories

find /Users/developer/website -name '_notes' -o -name '_baks' -o -name '_mm' -type d | xargs rm -rf

Files (*.LCK)

Log all occurrences of the files to ~/files.txt

find /Users/developer/website -name '*.LCK' -type f > ~/files-log.txt


Delete all occurrences of the files

find /Users/developer/website -name '*.LCK' -type f | xargs rm -rf

Atom support for Emmet in ColdFusion .cfm and .cfc files

by

I’m late to the party, but I’m trying out a new editor: GitHub’s Atom. My mission when I try out a new editor is to see if I can get the following 3 items set up properly (because if I can’t the editor is unfortunately not going to work for me).

  1. Language Support for ColdFusion
  2. An Emmet package
  3. Support for Emmet functionality within a .cfm, .cfc file

Setting up Language support for ColdFusion is easy. Simply install the language-cfml package. To install a package in Atom:

  • From the Atom editor menu, navigate to Atom -> Preferences
  • Click the Install button
  • Type language-cfml in the Search Packages field and click the Packages button
  • Click the Install button for the language-cfml package

Setting up Emmet is easy. Simply install the emmet package (see package install instructions above).

Setting up Emmet support for ColdFusion .cfm and .cfc files requires editing your Keymap. This step was derived from the emmet-atom Tab key documentation

  • Open the Keymap file (keymap.cson): Atom > Keymap...
  • Add the following to the keymap.cson file (proper indention counts):
'atom-text-editor[data-grammar="text html cfml"]:not([mini])':
    'tab': 'emmet:expand-abbreviation-with-tab'

Processing ColdFusion using .htm and .html files with Lucee

by

If you want Lucee to use the .htm and .html file extensions instead of (or in addition to) .cfm and .cfml you can set this up in 3 quick steps.

1. Stop Lucee
2. Edit the web.xml file located at 

/conf/web.xml

From:


     CFMLServlet
     *.cfc
     *.cfm
     *.cfml
     /index.cfc/*
     /index.cfm/*
     /index.cfml/*

To:


     CFMLServlet
     *.cfc
     *.cfm
     *.cfml
     *.htm
     *.html
     /index.cfc/*
     /index.cfm/*
     /index.cfml/*

3. Start Lucee