View unscoped variables in a log file

Background

In the last security updates of ColdFusion (ColdFusion (2023 release) Update 7 and ColdFusion (2021 release) Update 13), Adobe released hotfixes that addressed scope injection vulnerabilities. See the tech notes for more information.

What is the patch about

Adobe has released a patch for ColdFusion (2023 release) and ColdFusion (2021 release) to help identify the unscoped variables in a log file, and take corrective actions.

The patch applies to ColdFusion (2023 release) Update 6 and higher, and ColdFusion (2021 release) Update 12 and higher. Adobe recommends you to be on Update 6 or higher and Update 12 or higher.

Why should I apply the patch

The patch lets you view all unscoped variables searched during the application run within a log file, unscoped.log.

How do I apply the patch and view the log file

  1. Copy the patch to cfusion/lib/updates.
  2. Restart ColdFusion.

View the log file

Set the flag searchimplicitscopes=TRUE in jvm.args or Application.cfc. When you run the application, ColdFusion generates the log file, unscoped.log, in /cfusion/logs.

For Update 6 of ColdFusion 2023 and Update 12 of ColdFusion 2021, these updates already have searchimplicitscope=TRUE by default, if not already changed in Application.cfc or Application.cfm.

What does the log file contain

"Information","http-nio-8500-exec-1","04/08/24","17:13:17","testapp","/Users/user/codebase/cf-main/cfusion/wwwroot/scope/scope_testing1.cfm:REQUEST.SCOPETESTING,scope:UrlScope"
"Information","http-nio-8500-exec-2","04/08/24","17:16:51","testapp","/Users/user/codebase/cf-main/cfusion/wwwroot/debugging/index.cfm:AJAX_ENABLED,scope:FormScope"
"Information","http-nio-8500-exec-2","04/08/24","17:16:51","testapp","/Users/user/codebase/cf-main/cfusion/wwwroot/debugging/index.cfm:ENABLED,scope:FormScope"

How do I interpret the log file

ColdFusion logs unscoped variables whenever the application executes, and the variables are searched from the implicit scopes. However, if the variable is declared but not referred to during runtime, the variable will not be logged.

If the log file shows VARIABLE {{X}} at template {{Y}} needs to be scoped, then manually search and refactor all instances of {{X}} in template {{Y}}.

For example,

In "Information","http-nio-8600-exec-6","03/19/24","19:40:56","cfadmin","/Users/user/codebase/cf_14_hotfix/cfusion/wwwroot /TEST/settings/mappings.cfm:SORTCOLUMN"

  • {{X}} is SORTCOLUMN
  • {{Y}} is /Users/user/codebase/cf_14_hotfix/cfusion/wwwroot /TEST/settings/mappings.cfm

What's next

This patch is meant to help the community generate the report of unscoped variables in an application. After using the patch and identifying the required changes, set the flag back to FALSE, and remove the patch.

Note:

Please be aware that this patch could potentially affect the performance of your application.

Document history

  • 04/10/2024: The following are the changes to the log file:
    • The log files contain the name of the scope in which the variable exist.
    • Files included using cfinclude tag will be logged.

Get help faster and easier

New user?