Which file extensions are affected by ColdFusion's Trusted Cache - coldfusion

Which file extensions are cached by Trusted Cache? CFM and CFC are obvious ones, but what about CFR? Are there are other file extensions that are caught by Trusted Cache?
Some places I know/suspect that files enter the template cache are:
directly specified in the url (cfm, cfml, cfc, more?)
cfinclude (any file extension that is used in a cfinclude e.g. <cfinclude template="./some.css">)
cfmodule (cfm, more?)
cfimport (cfm, also jar and tld?)
cfobject, createobject (cfc, also .net, com, java, and web services?)
cfreport (cfr which can be complied with cfcompile utility?)
Are there other tags that will have the same effect of adding content into the template cache?

Adobe ColdFusion (and Railo) compile CFML templates to JVM bytecode and, if configured to do so, will write the compiled class(es) to disk as .class files. The template cache is a mechanism for saying: if the target class is already loaded, don't bother looking at the (source) file on disk to see if it needs recompilation - trust what's in memory.
Recent enhancements to ACF and Railo allow you to specify that (source) files can be checked always (not trusted), once per request, never (always trusted).
That shouldn't be news to anyone.
Obviously ACF and Railo will compile any .cfm or .cfc file they are asked to process so those will "end up" in the trusted cache if it is enabled.
If you cfinclude a file - any file - ACF and Railo will also compile that to JVM bytecode (and create a .class file on disk if configured to do so). Since an included file is compiled, it will also "end up" in the trusted cache. What happens if you include a CSS file then? It gets compiled to bytecode that outputs the entire content of the CSS file as a string to the response stream. Since it is a compiled class, that now outputs a hardcoded string, if you change the CSS source file and have trusted cache enabled, ACF and Railo will trust what's in the classloader and not recompile it (assuming "never" check source is the admin setting).
You can verify this by cleaning out the cfclasses folder, restarting your CFML engine and running your code. You'll see a .class file appear for your CSS file (assuming you have save class files to disk enabled).
So, cfinclude forces compilation of "any" file and the normal rules of trusted cache apply for classes loaded into memory.
I no longer use ACF so I can't speak in detail to .cfr files (Railo does not support report files) but it will most likely depend on whether ACF compiles a .cfr file or not. It should be easy to verify (by looking in the cfclasses folder).

By default, ColdFusion ships with the *.cfm, *.cfc, and *.cfml extensions mapped in JRun as the extensions that are trusted. You may view these mappings by opening up the j2ee-web.xml and web.xml config files in \JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\ (or near this, based on your installation):
<servlet-mapping id="coldfusion_mapping_3">
<servlet-name>CfmServlet</servlet-name>
<url-pattern>*.cfm</url-pattern>
</servlet-mapping>
<servlet-mapping id="coldfusion_mapping_4">
<servlet-name>CFCServlet</servlet-name>
<url-pattern>*.cfc</url-pattern>
</servlet-mapping>
<servlet-mapping id="coldfusion_mapping_5">
<servlet-name>CfmServlet</servlet-name>
<url-pattern>*.cfml</url-pattern>
</servlet-mapping>
However, you can also manually configure brand-new mappings here as well, which will allow ColdFusion to parse/compile CFML tags in files with a different extension as well (I've worked with CF Servers that have been configured to parse .shtml, for example)
Note: You'll also have to do some additional configuration for your web server, be it Apache, IIS, or whatever.
Once CF is configured to handle a file of a particular extension, it is added to the list of files that is processed in the Trusted Cache--since that file ultimately equates to a compiled .class file under-the-hood.

Unfortunately there isn't an official source for this information. However, it is possible, with a lot of work, to test each and every tag to see if the files end up in the Trusted Cache.
Your first two bullet points are covered by Shawn Holmes' answer and Sean Corfield's answer, respectively.
Bullet 3: cfmodule is limited to cfm files, so that extension is the only one you have to worry about there.
Bullet 6: cfreport shouldn't enter the template cache, since it's converting the file, not compiling it for code to execute.

Related

How can I compile my ColdFusion code for sourceless distribution, and have it be unreadable?

I've been tasked with creating a deployable version of a ColdFusion web app to be installed on a clients server. I'm trying to find a way to give them a compiled version of our code, and my first inclination was to use the CFCompile utility that I found here. However, after running CFCompile, most of the code in the CFM files is still readable. The only thing that appears to be obfuscated at all is the actual ColdFusion code - all of the SQL Queries are still perfectly readable. (Example in the screenshot below)
The HTML and JavaScript are also still readable in the compiled code, but that doesn't matter as those can be seen in a web browser anyways.
Is there another way to distribute my source code in a format that is completely unreadable to the user? I'm guessing that for whatever method I choose, there will be some way of decompiling the code. That's not an issue, I just need to find a way to make it more difficult than opening the file and seeing the queries.
Hostek has a pretty good write up on the subject over on their site - How to Encrypt or Compile ColdFusion Files.
Basically, from that article:
Using cfcompile.bat
The cfcompile.bat utility will compile all .cfm and .cfc files within a given directory into Java bytecode. This has the effect of making your source code unreadable, and it also prevents ColdFusion from having to compile your ColdFusion files on first use which provides a small performance enhancement.
More details about using cfcompile.bat can be found in ColdFusion's Documentation
Using cfencode.exe
The cfencode.exe utility will apply basic encryption to a specific file or directory. If used to encrypt a directory, it will apply encryption to ALL files in the directory which can break any JS, CSS, images, or other non-ColdFusion files.
They do also include this note at the bottom:
Note: Encrypting your site files with cfencode does not guarantee absolute security of your source code, but it does add a layer of obfuscation to help prevent unauthorized individuals from viewing the source.
The article goes on to give basic instructions on how to use each.
Adobe has this note on their site regarding cfencode:
Note: You can also use the cfencode utility, located in the cf_root/bin directory, to obscure ColdFusion pages that you distribute. Although this technique cannot prevent persistent hackers from determining the contents of your pages, it does prevent inspection of the pages. The cfencode utility is not available on OS X.
I would also add that it will be trivial for anyone familiar with ColdFusion to decode anything encoded with this utility because they also provide the decoder.

ColdFusion 2016: cfinclude dynamic template name; occasional error

Good day -
My work group upgraded from CF10 to CF2016. We have finished 2 of the 3 servers that run the application behind a load balancer.
Since the two servers have been upgraded, we get an occasional (<<1%) error on <cfinclude> statements:
The process cannot access the file because it is being used by another process
The included files are different each time, but they have the same characteristic: the names are dynamically generated in the cfinclude tag. For example:
<cfinclude template="#fileManager.getFile('appl1')#">
where #fileManager.getFile('appl1')# simply returns a string path to a CFM file. The file definitely exists, and it is not e.g. being modified by a programmer or any other (known) process. The files themselves are generally just simple index.cfm files in directories that haven't been touched in a year.
This only happens on dynamically named templates in <cfinclude>, never static template names.
Here are the cache settings on the server. Please note that the settings are the same on the server that doesn't experience this problem (the CF10 server)
Any ideas what can cause this random, fleeting error? I can not establish any pattern other than CF2016.

Locating Specific Files on a ColdFusion Server

So I've began working with .cfm files recently at work, currently my assignment is to modify and update webpages to be more suited to mobile devices and tablets. Now, being relatively new to ColdFusion, I've been having a bit of trouble with how multiple .cfm files are used within a server to create a single webpage. Because of this, I've had issues with finding where specific sections of HTML are located, be it something as where a simple tag is, or where a call to another .cfm, javascript, or .css file may be. Is there anyway to find the origin of certain code without having to skim through hundreds of different files?
If you are working on your code on a local webserver on your computer (i.e. not a production site) then you can enable ColdFusion's debugging output.
Documentation for the ColdFusion Administrator debugging options are here: ColdFusion Administrator Debugging
You will want to enable Enable Request Debugging Output and turn on Report Execution Times. When you browse to the page, ColdFusion will give you a list of all files that ColdFusion used to render that page (with how long each file took) appended to the bottom of the page.
Otherwise, any good IDE/Editor (CFBuilder, SublimeText, NotePad++ etc) will be able to search across files.
I would suggest downloading the code from your server to a local drive. From there you can search using an IDE (ColdFusion Builder, Dreamweaver, etc) or a good text editor that can search multiple files at once. I personally use ColdFusion Builder 3 and Notepad++.
Multiple cfm files are put together into a single page usually by using the cfinclude tag, so that would be a good starting point for your search. There are other methods to include different pages into a single page but cfinclude is probably the most common one. BUT, if the programmer used cfscript instead of cfml, look for the include function instead.
Adobe documentation on the cfinclude tag can be found at https://wikidocs.adobe.com/wiki/display/coldfusionen/cfinclude.

coldfusion application.cfc not found

I've been having a sporadic problem for a few weeks where on restarting the CF Server (Enterprise 9) one of my applications runs without ColdFusion referencing all the variables in the Application.cfc file. It's in the same folder as the CFML pages, it IS properly capitalised as Application.cfc, but it seems to just be ignored. Obviously this causes problems with datasource name and all the other variables I set in Application.cfc. For reference, I'm using an Application.cfc file based on Ben Nadel's excellent intro at http://www.bennadel.com/blog/726-ColdFusion-Application-cfc-Tutorial-And-Application-cfc-Reference.htm . Usually my requested template runs as an include and I can see it in the stack using debugging output, now I can't see it there at all. It's as if the file just doesn't exist.
Has anyone else experienced this, or can you think of possible solutions? Note that at times a restart has got the whole thing running perfectly smoothly.
Re folder structure it's really simple: the Application.cfc file is in the web root along with executable CFML templates - included templates, images, CSS etc are in separate folders referenced via relative paths.
There is another application with its own similar Application.cfc file that is in a sub-directory of the web root. This is running perfectly.
Try clearing your template cache. I've see cases where CF just gets flakey and the cached files are causing issues. Another option: Does ColdFusion have permissions to read/execute the Application.cfc? If this WAS an issue but is no longer an issue I've seen cases where the template cache was causing these files not to be found. Again, delete these files (from disk, not the cfadmin) and try again.

How do I determine which files a ColdFusion application uses?

I'm starting some work on an existing ColdFusion application with no version control and what look like unused cfm files (test.cfm, test2.cfm etc.). I'd like to get a picture of what files are actually part of the application so I can get it into git or subversion in a manageable state.
How would you go about this? A regex and some methods to find and map cfinclude and cfcomponent tags? Is there some existing tool that does this?
Ben Nadel has a method to examine the live stack trace from a running template. It seems to me that you could easily plop this into your application and log the results to a database. Once you've done that, you've got a good idea of what's in use and what's not.
I think the easiest way, however, is to enable debugging (standard caveat here about development server, etc). The standard ColdFusion debugger will give you a complete list of every file used during the execution of a single page. ColdFire will do the same thing in a handy Firebug extension (click ColdFusion then click Exec Times).
It should be pointed out that the built-in debugger even shows you the files included from CFC calls, and the files included from within those calls as well. It is all inclusive.
Ben Nadel on Stack Traces
Ray Camden's ColdFire
Sample of CF Debugging from a live page:
Put it into git first! Then, if you screw up, you can easily roll back.
(If you're concerned about having a 'clean' repository, when you're finished and fully tested, you have the option to just remove the single .git folder and create a new one.)
Then, as Tomalak suggests, use cflog on every file. Infact I'd say maybe even log twice, at the top and bottom of each script, could potentially help you to map out how the application runs.
A regex is not advisable. Since ColdFusion is quite flexible in the way files can be included or referenced, there will be no way to determine the definitive list of dependencies from the source code alone.
You could insert a <cflog> into each file and build a log from the running application. Examine the log after the application was active for a while and all functionality had been accessed at least once.
Don't bother instrumenting each file, just cflog the page name in OnRequest inside application.cfc - the target page is an argument.
Of course then the issue becomes code coverage and the ability to fully excercise the app.
<cffunction name="onRequest" returnType="void">
<cfargument name="targetPage" type="String" required=true/>
<cflog file="Usedpage" text="#Arguments.targetPage#">
<cfinclude template="#Arguments.targetPage#">
...
</cffunction>
cfinclude won't tell you if a url is supposed to load the file directly. I've seen system where some files are not included via an index.cfm even when the framework expects it. I have it in my own work where index.cfm loads most code but reset.cfm bypasses the framework to reset configs and session data.
Download a trial of Dreamweaver and define a ColdFusion site. DW can create a site map and tell you which files are not included, linked, cfmoduled and so forth. I don't know if it can figure out unused CFCs, but CFMs should be easy. Note that I haven't used DW for years, but it had this functionality around CF 4/5.