Adding CloudFlare Turnstile CAPTCHAs to CFML Sites

CloudFlare recently released a new CAPTCHA service called Turnstile, which aims to provide a better user experience for CAPTCHA's. At the worst case the user will have to click a checkbox, rather than train a machine learning model solving a puzzle. You don't need to use CloudFlare's CDN / dynamic proxy services on your site to use this service, and it is free to use. Client Side Implementation There are a few different ways to implement the front end side, but at a minimum you would just add these two lines to an existing form: <div class="cf-turnstile" data-sitekey="YOUR-SITE-KEY"></div> <script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script> Make sure you replace YOUR-SITE-KEY with Site Key that CloudFlare provides to you. The JavaScript will automatically insert a hidden input field inside the div named cf-turnstile-response. When the captcha is solved it will also automatically fill value of the hidden field with the captcha response code: <input type="hidden" name="cf-turnstile-response" value="automatically filled and generated"> Server Side Implementation Now your job on the server side is to verify that the value passed in cf-turnstile-response is legit. On the form action page you will need to make a HTTP request to cloudflare with your secret key and the cf-turnstile-response value. Here's a ColdFusion / CFML function I've implemented that takes care of it all: function verifyTurnstileResponse(secret, response, remoteip="") { try { var httpResult = ""; cfhttp(url="https://challenges.cloudflare.com/turnstile/v0/siteverify", method="POST", result="httpResult", timeout=5) { cfhttpparam(name="secret", value=arguments.secret, type="formfield"); cfhttpparam(name="response", value=arguments.response, type="formfield"); if (len(arguments.remoteip)) { cfhttpparam(name="remoteip", value=arguments.remoteip, type="formfield"); } } if (isJSON(httpResult.fileContent)) { return deserializeJSON(httpResult.fileContent); } else { return { "success": false, "error-codes":["response-was-not-json"], "http-result": httpResult}; } } catch (any err) { return { "success": false, "error-codes":["exception"], "exception": err}; } } The function should always return a struct with the boolean key "success", if the HTTP request fails for any reason it will return with a success value of false. Here's how you might use it... var turnstile = verifyTurnstileResponse(secret=server.system.environment.TURNSTILE_SECRET, response=form["cf-turnstile-response"]); if (turnstile.success) { //do it } else { //log / display error } The remoteip argument is optional, so I left it out in my example. I didn't want to default it to cgi.remote_addr because in some proxied environments that wouldn't be the correct IP. I'll probably turn this code into a ColdBox module at some point as well.

From: Pete Freitag's Homepage

ColdFusion Summit 2022 Slides

I'm back from another excellent CFSummit. So many great presentations and conversations. This I gave a presentation on the 25 Most Dangerous Software Weaknesses and how they relate to ColdFusion. My company Foundeo Inc. once again sponsored the event. It was nice to be able to present live, instead of over zoom! You can find the slides here, and the code samples are on github in my CFML Security Training repository. If you missed it, or you were there but want to go deeper into many of the issues we discussed I will be hosting a ColdFusion Developer Security Training Class on December 13-14, 2022.

From: Pete Freitag's Homepage

Modernize or Die® – CFML News Podcast for October 4th, 2022 – Episode 166

Luis, Brad, Gavin and Daniel host this week’s CFML News Podcast Special from CF Summit To listen or subscribe to the podcast visit our site Or watch the video replay on youtube: They sat down, at the Ortus Booth and discussed the highlights of the conference. For the show notes – visit the website https://cfmlnews.modernizeordie.io/episodes/modernize-or-die-cfml-news-podcast-for-october-4th-2022-episode-166 Music from this podcast is used under Royalty Free license from SoundDotCom https://www.soundotcom.com/  and BlueTreeAudio https://bluetreeaudio.com The post Modernize or Die® – CFML News Podcast for October 4th, 2022 – Episode 166 appeared first on ColdFusion.

From: Adobe Coldfusion Blogs

CF Summit 2022 Notes

Sometimes I take notes during the conference sessions. And to my surprise people are actually reading them. :) Here's everything I jotted down during the Adobe CF Summit 2022 presentations. Enjoy.

From: South of Shasta: Software Development, Web Design, Training

Speaking at CF Summit on Monday

FYI for anyone attending the Adobe CF Summit this week, there's been a small schedule change. I'll be giving my talk "Web Components and CFML" on Monday at 2:45. Some of the material says Ray Camden (or somebody else that Ray was pinch-hitting for, I don't who) was going to speak in this time slot; that's now out of date.

From: South of Shasta: Software Development, Web Design, Training

COLDFUSION IN DISTRIBUTED ENVIRONMENT (WINDOWS)

ColdFusion in distributed environment (Windows) On IIS Server: Install IIS Roles and components: Ensure that, all of the below IIS features are enabled: NET CGI ISAPI Extensions ISAPI Filters Install Visual C++ Redistributable for Visual Studio 2012 (x64) from the below link: https://www.microsoft.com/en-in/download/details.aspx?id=30679 Copy the following from ColdFusion server to IIS server: (<version> would be 2018 or 2021 based on your ColdFusion installation). Create the similar directory structure as in ColdFusion server. C:\ColdFusion<version>\jre (directory) C:\ColdFusion<version>\cfusion\runtime\lib\wsconfig.jar C:\ColdFusion<version>\cfusion\runtime\lib\config.properties C:\ColdFusion<version>\cfusion\runtime\conf\server.xml C:\ColdFusion<version>\config\instances.xml C:\ColdFusion<version>\config\cluster.xml Open a […] The post COLDFUSION IN DISTRIBUTED ENVIRONMENT (WINDOWS) appeared first on ColdFusion.

From: Adobe Coldfusion Blogs

COLDFUSION UPDATE ON J2EE DEPLOYMENT

ColdFusion Update on J2EE Deployment The below steps are with JBoss EAP, however would be applicable for any J2EE deployment. For installation, please refer the below document: https://helpx.adobe.com/in/coldfusion/installing/installing-the-jee-configuration.html Stop the J2EE server and run the below from command prompt as Administrator (point to the hotfix jar file full path) – java -jar <path to hotfix.jar> Navigate & select the path till cfusion.war directory (Directory containing WEB-INF, CFIDE and META-INF) Start the J2EE server and check the update status in ColdFusion […] The post COLDFUSION UPDATE ON J2EE DEPLOYMENT appeared first on ColdFusion.

From: Adobe Coldfusion Blogs

Modernize or Die® – CFML News Podcast for September 27th, 2022 – Episode 165

Gavin & Brad hosts this week’s CFML News Podcast To listen or subscribe to the podcast visit our site Or watch the video replay on youtube: They discussed CF Summit’s AMA session with the online form, Hacktoberfest 2023 and Lucee’s 5.3.10 RC They also discussed Ortus’ recent Webinar recap on ITB, and some upcoming Adobe Workshops and Webinars. They discuss upcoming conferences, CF Summit, ITB Latam, Dev Nexus 2023 and ITB 2023. They discuss what’s new and coming soon with […] The post Modernize or Die® – CFML News Podcast for September 27th, 2022 – Episode 165 appeared first on ColdFusion.

From: Adobe Coldfusion Blogs

cfimage unable to write to tmp directory when sandbox is enabled

Issue  If the Sandbox Security option is enabled and you’re attempting to write to the temp directory using cfimage, then the following exception appears.  Application fails with 500 error because it is unable to access the temp directory.  Solution  Follow the steps below:  Add the path of the temp directory in jvm.config as shown below:  -Djava.io.tmpdir=<path to temp directory>            2. Restart ColdFusion.  The post cfimage unable to write to tmp directory when sandbox is enabled appeared first on ColdFusion.

From: Adobe Coldfusion Blogs

My CF Summit 2022 Schedule

Hotel confirmation is in hand, plane ticket has been booked, it’s official…I’m going to the Adobe ColdFusion Summit in Las Vegas! Much like Into The Box earlier this month, the CF Summit is a must-attend event for anyone looking to stay up on CFML development practices. And the agenda includes enough content for non-CFML developers, that I’d also encourage Engineering Managers and other techies to attend. (Really, this is true of most tech content — a lot of it is easily applicable to different environments.) Not registered yet? You can sign up at this link.

From: South of Shasta: Software Development, Web Design, Training

Modernize or Die® – CFML News Podcast for September 20th, 2022 – Episode 164

Gavin hosts this week’s CFML News Podcast solo because Brad got tied up by cabling in a server room somewhere, maybe. To listen or subscribe to the podcast visit our site Or watch the video replay on youtube They discussed Into the Box Session Survey Raffle, Ortus hiring another USA Developer, CF Summit’s AMA session with the online form, State of the CF Union Survey Podcast Part 1, Hacktoberfest 2023, Lucee Mail Listeners. They also discussed Ortus’ recent Webinar recap […] The post Modernize or Die® – CFML News Podcast for September 20th, 2022 – Episode 164 appeared first on ColdFusion.

From: Adobe Coldfusion Blogs

Upgrading from 11 to 2021

Upgrade CF 11 to 2021 on Mac The post Upgrading from 11 to 2021 appeared first on ColdFusion.

From: Adobe Coldfusion Blogs

Markdown That You Might Not Know

I write every one of my blog posts in Markdown. Markdown is easy to store, easy to edit and above all easy to implement. I, specifically, use a variation of Github Flavored Markdown with a few of my own additions that make my workflow easier - for example, I can use [tweet tweetIdHere] to embed a tweet in one of my posts. Github Flavored Markdown (GFM) is the most common Markdown Spec to see implemented around the internet, likely due to the fact it was developed by Github and is therfore open source. That being said, there are many features of GFM that I think more people should be using but aren't. You could say that I read the spec so that you don't have to.

From: Michael Walter Van Der Velden

.cfproject

Can anyone explain what the .cfproject file is, what it does, and how to config it? i can’t find any doc on this. It seems to be generated from the setup for cf in vs code. The post .cfproject appeared first on ColdFusion.

From: Adobe Coldfusion Blogs

CFMAIL using OAuth instead of Basic Auth

I have an application which uses CFMAIL to send out alerts and notifications with a O365 mailbox. I’ve been asked to switch it to OAuth 2.0 and I have no experience with sending emails via OAuth and CF. I’m struggling to find any documentation or guidance online and in any of the forums. Is there an easy way to do this with setting up an OAuth connector and still using CFMAIL? The post CFMAIL using OAuth instead of Basic Auth appeared first on ColdFusion.

From: Adobe Coldfusion Blogs

autosuggest stopped working

I”m on a shared web server and they made some changes and now my autosuggest no longer works. Anyone know why? Has it been phased out? The post autosuggest stopped working appeared first on ColdFusion.

From: Adobe Coldfusion Blogs

I made a daily web game

It seems like simple daily web games, à la Wordle or Framed, have been quite popular over the pandemic. One could argue that interest began to wane as everything opened up again, but I still know many people who consistently log in to challenge themselves each day. My partner especially, loves these games - playing about 3 different ones without fail. I had an idea whilst this craze was going on for a similar daily game but one, unlike Wordle or Framed, which required you to log on the next day to see if you had guessed correctly. I decided I'd build it to see if I can get it added to my partner's daily schedule.

From: Michael Walter Van Der Velden

Into The Box 2022 Recap

Into The Box 2022 is a wrap! My first in-person conference since this pandemic madness began two years ago. While the attendance level was a bit smaller (but expected) I think the event was a big success overall. (Before we get into the recap…a brief reminder: this is not a ColdBox-specific conference! While yes there are many sessions related to ColdBox, I count at least 10 sessions, some of the workshops, and most of the pre-conference virtual sessions that have nothing to do with ColdBox. Seriously, if you’re a CFML developer of any kind, this conference will add value to your development experience.)

From: South of Shasta: Software Development, Web Design, Training

Ways to suppress a finding in Fixinator

Code is complex, so any static application security testing (SAST) tool will find things that may not be an actual security issue. Fixinator has a few different ways we can deal with this problem. For example, let's suppose you have a variable application.maxstories=10 set in Application.cfc, and you use that variable in a different file like this: <cfquery name="news"> SELECT headline, story FROM news ORDER BY date_published DESC LIMIT #application.maxstories# </cfquery> Assuming that application.maxstories is always defined, this query isn't vulnerable to SQL injection because you can't change the value of application.maxstories unless you can change the application source code. Quick aside: If the application.maxstories variable is defined conditionally, then it is a different story. The value of the variable in the query could be manipulated via something I call scope injection via url.application.maxstories for example. But that depends on application.maxstores being undefined. Suppressing a single finding with Fixinator If you are using Fixinator then we have a few different ways to suppress this finding. We can add a comment as such: <cfquery name="news"> SELECT headline, story FROM news ORDER BY date_published DESC <!--- ignore:sqlinjection because application.maxstories is always defined ---> LIMIT #application.maxstories# </cfquery> When Fixinator finds an issue, it will check to see if there is a comment with the pattern ignore:scanner-type directly above or on the same line as the issue. You can optionally add a reason to the comment, which I always like to do. However if this were my code, I would rather just do this: LIMIT #int(application.maxstories)# Fixinator understands that wrapping a variable with int() is a safe solution. I prefer that approach over a comment. Suppressing a type of finding over many files with Fixinator Fixinator has a setting called ignorePatterns that can be defined in a .fixinator.json file. For the above example, we might use something like this: { "ignorePatterns": { "sqlinjection": ["application.maxstories"] } } That will tell fixinator to ignore any SQL Injection finding where the variable contains application.maxstories, pretty handy way to keep your fixinator report free of any false positives. Here's another example... let's assume we fixed XSS issues in our app before the encodeForHTML was builtin to CF by creating our own function called xssEncoder. Perhaps our own function originally called ESAPI directly via java, but now is just an alias to encodeForHTML. This abstraction isn't a bad thing, it even allows us to switch to a different encoder in the future if a better one comes along. We can tell Fixinator about it like this: { "ignorePatterns": { "sqlinjection": ["application.maxstories"], "xss": ["xssEncoder("] } } Of course you have to be careful about what you ignore, but I think it is an important feature to have. Without a good way to manage false positives you are either giving developers pointless work just to please the scanner, or the reports are full of false positives and end up being ignored. Neither lead to better security.

From: Pete Freitag's Homepage

Spring Boot JWT - How to Secure your REST APIs with Spring Security and Json Web Tokens

In this tutorial, you will learn how to secure REST APIs with Spring Security and Json Web Tokens.

From: Dan Vega

Web Components in Your CFML Application

Web Components provide a modular way to build a consistent design system and user experience across your entire application. Instead of copy/pasting the same chunks of coded into various places, you can have a JavaScript/HTML expert focus on getting the UX correct, without them needing to worry about what's happening in the CFML layer at all.

From: South of Shasta: Software Development, Web Design, Training

Speaking at Into The Box 2022

(In my best comedian voice) so, the pandemic…am I right?! Next week I’m flying out to Texas for my first in-person conference in WAY too long! I’ll be giving 2 talks at one of my favorite events: Into The Box in Houston Texas!

From: South of Shasta: Software Development, Web Design, Training

Simple Parallel Execution in ColdFusion or Lucee

A really handy feature of the arrayEach() function is the parallel argument. It has been supported in Lucee since 4.5, but ColdFusion 2021 now supports it as well. What does the arrayEach function do? Quite simply it loops over each element of an array and invokes a function for each element of the array, here's a simple example: fruit = ["Apples", "Oranges"]; arrayEach(fruit, function(item) { writeOutput("I like #item#"); }); It would output (run on trycf): I like Apples I like Oranges Make it parallel Recently on the cfml slack the question was asked: Anybody have a good examples of using the parallel features or multi-threading <cfhttp> requests? Yes, you can do this with the parallel argument of array each quite easily: requests = [ {"url"="https://httpbin.org/ip"}, {"url"="https://httpbin.org/uuid"}, {"url"="https://httpbin.org/uuid"}, {"url"="https://httpbin.org/uuid"}, {"url"="https://httpbin.org/uuid"} ]; maxThreads = 5; parallel = true; tick = getTickCount(); arrayEach(requests, function(value, index) { var httpResult=""; cfhttp(url=value.url, result="httpResult"); value.result = httpResult.fileContent; }, parallel, maxThreads); writeOutput("Took: #getTickCount()-tick# with parallel: #parallel#, maxThreads: #maxThreads#"); writeDump(requests); You can run the example on trycf and see that when parallel = true; it runs in about 180ms, when you set parallel = false; it takes 750ms. Pretty simple way to get a big speed boost for that use case, and much easier than using cfthread. Things to look out for One thing you do need to be careful of when you start multithreading is synchronization issues. In my example I am updating the array element struct, but if I were modifying the array itself, or another shared variable within my closure function, I would need to use cflock. For the same reasons, if you create any variables within your closure function, make sure they are var scoped or you will run into some strange issues. Without the var scope, the variable will be in the variables scope and shared among all the iterations.

From: Pete Freitag's Homepage

What is the latest version of .Net that I can consume from ColdFusion?

ColdFusion returns "Class not found" when trying to consume a *modern* public static .Net class. What is the latest version that I can use? The post What is the latest version of .Net that I can consume from ColdFusion? appeared first on ColdFusion.

From: Adobe Coldfusion Blogs

Unable to install CF2021 on MacOS BigSur 11.5.1

While installing CF2021 on MacOS Big Sur 11.5.1, users are getting this error message –  “libjvm.dylib” cannot be opened because the developer cannot be verified. Even after Allowing this from Security, it does not let users install it. Here are a few simple steps to install it. Eject the current installer. Launch the terminal and type this command xattr -rc <ColdFusion2021_xxxx.dmg file location>. Once you run this command, Run the installer and see if that works. In case, you will still […] The post Unable to install CF2021 on MacOS BigSur 11.5.1 appeared first on ColdFusion.

From: Adobe Coldfusion Blogs