PasswordSafe accesses the Internet??

By barneyb on June 11, 2005

Before I start, how many of you loyal readers out there use or have used PasswordSafe? If you would, leave me a comment, because I'm curious.

Anyway, I just got an email from a PasswordSafe user that said it was connecting to the internet every time he saved his data file. I'm not a devious type, and the codebase has been checked over by at least two or three other people (quite possibly many more), and one even took the time to rewrite some chunks of it to be more efficient and look prettier. So I'm quite confident that there isn't any malicious code lurking around anywhere.

However, his comments concerned me, because that's some blatantly suspicious behaviour for security-related software to be exhibiting. One common use for PasswordSafe (from talking to various users) is to store the data file at a shared location (and possibly even the actual binaries), where all parties that need access can get it without having to keep files synchronized in multiple places. I suspect this is what's happening, but I wanted to ask if anyone else has seen this sort of behaviour?

I've also just pushed a new update that has no functional changes, just a couple little tweaks to the documentation. It can be downloaded at http://www.barneyb.com/go/ps_download.

Follow Up:
After doing some more testing (both myself and the guy who sent me the email), it appears to be the XML-based bean serializer that PasswordSafe uses that is causing the internet lookup. Presumably this is to find a remote XML Schema or something.

Posted in

YubNub

By barneyb on June 8, 2005

Spike sent me this link to www.yubnub.org,
which endeavors to be a "command line for the web", as they put
it.  It's a pretty cool idea, really.  You create commands
that are implemented with web services, and then anyone can run your
commands via the shell.  Not sure if it has any real application,
but it's definitely an interesting use of web-base technologies.

Posted in

Death to DevNet Edition

By barneyb on June 5, 2005

So I just set up a CF7 server a week or two
ago and started moving one of my apps over to it.  We use the
CF6.1 DevNet edition on our dev servers, and it's great.  I
figured I'd do the same with CF7.  All going along great until I
start testing our admin area, which relies heavily on JS remoting, and
that damned DevNet META tag completely breaks it.

On
CF6.1, you could just use CFCONTENT to set the content type to
something, and the META tag would magically vanish.  But on CF7,
it appears to be impossible to make the META tag disappear. 
Ordinarily, I wouldn't care too much, except that it completely breaks my application
(not to mention prevents doctype sniffing from working
correctly).  So after screwing around for what seemed like
forever, I finally gave
up, archived my settings (my god is that cumbersome), undeployed CF,
generated some developer-edition WARs, deployed those, and restored my
settings. Fortunately, I can get by with the IP restrictions.

Things seem to be all good
now, but man was that not how I wanted to spend my Saturday night. I
know DevNet is going away and all, but you'd think they'd at least make
it usable if they took the effort to release a DevNet edition of CF7.

Posted in

Revenge of the Dragon, pt II

By barneyb on May 25, 2005

Couple more little glitches as the app has continued to be tested:

1)
I mistyped 'reqeustTimeout' [sic] in a CFSETTING tag.  BD didn't
complain, and I didn't catch it, because the extra time for the request
never happened to be needed, but CF threw a syntax error immediately.

2)
BD 6.2 puts the CFFILE result struct from uploads into local variable
(if declared), inside functions. I was never quite sure what CFMX 6 did
regarding this.  CF7, however, puts it in some unknown place
(presumably variables scope) that is shadowed by the local variable
scope.  Just a matter of adding the new CF7 'result' attribute to
name the value you want the result placed in.  I think this is
actually a bug in CF7 (breaking backwards compatibility), but I'm not
sure about that.  Either way, it is a difference between BD and CF
that you should watch out for.

Posted in

Fusebox 4.1 Lexicons

By barneyb on May 25, 2005

I was the presenter at the Portland, OR CFUG last week, and the
topic was Fusebox 4.1.  One of the big points of interest was
custom lexicons, so I thought I'd share a couple examples here as well.

Fusebox
4.x is based around an XML grammar (composed of individual verbs, much
like CFML is composed of CF tags) for describing your application,
separate from the actual implementation of your application.  So
the XML documents the structure and program flow, but none of the
code.  Very elegant, and very helpful, particularly when you're
designing and managing large apps.  Custom lexicons allow you to
extend that XML grammar with application-specific functionality. 
By and large this isn't needed, but there are some places where the
built-in grammar is simply insufficient, and a custom lexicon can make
your life enormously easier.

The simplest example of a custom
verb is a 'write' verb that take a 'text' attribute and simply writes
it to the output buffer.  To many people, the inability to
natively do this in FB4 is surprising, but it quickly becomes apparent
that there is almost never a need to do it, except when you're hashing
out an application structure.  First, here's how the verb will be
used:

The 'beb'
part indicates the lexicon the verb is in, and is specified when you
register your lexicon in fusebox.xml.  The 'write' part specifies
the specific verb to invoke, and then the 'text' attribute is just an
attribute passed to the verb, much like a custom tag.  Here's the
implementation:

#fb_.verbInfo.attributes.text#') />

So
what do we have?  We've got this 'fb_appendLine' function, we've
got this 'fb_.verbInfo' structure, and we've got some raw CFML encased
in a string.  But even if you don't understand the nitty gritty, the jist of what's happening should be pretty obvious.

A little
description of how FB4 works under the hood is in order.  The core
files take your XML documents and use them to generate execution plans
(parse files) in native CFML.  Then those execution plans are
actually used to service requests.  Because that translation
happens once (and not every request), FB4 is very efficient.  On
the flip side, integrating a custom verb is confusing, because your
verb is not running as part of a request, it's running as part of the
XML to CFML translation process.  And note that this is all
exactly the same for the PHP version too, just it's XML to PHP.

So
what does that mean to our custom verb?  It means we can't
actually output anything while we're being processed, instead we have
to add some CFML to the execution plan for later execution as part of
handline a request.  Oof.  However, the core files make it
really easy, just use the fb_appendLine function, and pass it a string
containing the CFML you want to add to the plan.

That takes care
of the first and last items from the example, but what about the
fb_.verbInfo structure?  That structure is a dedicated "scope" for
your verb instance to do it's thing in.  If you've written a
plugin for FB4, it's similar to the dedicated plugin scope within the
myFusebox structure.  When your verb is processed, all the
attributes for the verb will be stored in that structure, along with
the lexicon and verb names that are currently executing (should those
be of value).  So that's how you get your attributes, but there is
another piece of the puzzle.

Because custom verbs are not run as custom tags, they don't have their own private 'variables' scope, so you MUST
place any local variables in that same fb_.verbInfo structure to avoid
them "leaking" out and potentially interfering with other parts of the
application.

Here's a slightly more complex example that illustrates this point:

Basically it's a CFDUMP tag, but usable within FB4.  However, there is some
trickery we can do because of this whole "building an execution plan,
not actually executing" paradigm.  Here's the code:



   

   

') />

This
time we're using a couple local variables ('v', and 'l', for var and
label, respectively), and carefully constraining them to the
fb_.verbInfo structure.  But if you look carefully, we're actually
using the textual value of the 'var' attribute as the default for the
'label' attribute.  Because the 'var' attribute isn't being
evaluated until the execution plan runs, the verb can actually read out
the textual value of the attribute, something that's impossible with a
CFML custom tag. http://www.live345.com  If you've ever done something like this:

then you'll quickly see the value of letting the custom verb do take care of the 'label' attribute for you automatically.

So
that's a very brief primer on custom lexicons in FB4.1.  I have to
mention that custom lexicons are a 'preview' feature in FB4.1, not an
official part of the framework.  They definitely aren't going
away, but it's possible they will change.  In particular, real XML
namespaces will be used at some point, rather than the dot notation
currently in use.  That was a stopgap meature, because CF6.x
didn't have namespace support, but CF7 does.  But that's
definitely not a reason to avoid them; they're far to useful to wait.

Posted in

Revenge of the Dragon

By barneyb on May 24, 2005

I know what you're saying: "please, not more whining."  Well
rest assured that this isn't that kind of a post.  Yes, I ran into
some more problems with BD's compatibility with CFMX last night, but
I'm not bitter, I swear.  I took an app that I'd written for BD
and was moving it to CF7 this evening and found four distinct bugs in
BD that gave me grief.  It's worth mentioning that I'm running BD
6,2,0,226.2.28, which I believe to be a 6.2 release candidate, not the
final version, but I'm not 100% sure of that.

1) BD doesn't care if your 'var' declared local variables are at the top of a function or not, while CFMX does.

2) BD considers assignment to be an expression, while CFMX doesn't.  In BD <cfreturn s = s & "text" /> is legal.

3)
BD processes CFLOGIN-based security stuff (at least when the
loginstorage is set to session) for all requests in a session that have
be logged in with CFLOGINUSER, regardless of whether CFLOGIN is
actually on every page.  In other words, on CFMX you have to have
CFLOGIN run on every page to use the cflogin framework, while on BD you
just have to have it run once per session.  Personally, I like
BD's interpretation, but all it takes is adding a self-closed CFLOGIN
tag right after your CFAPPLICATION tag to make it work on CFMX.

4)
BD doesn't seem to validate return types on CFFUNCTION quite all the
way.  I had a function with a numeric returnttype that returned
the result of a SELECT MAX(...) ... query, and when no rows were found,
the result of the MAX call is obviously null, which isn't numeric (and
yes, I'm going to restrain myself from that rant ;).  BD happily
let me return null from the method, but CFMX errored.  Perhaps
because BD actually recognized the null for what it is, and let it pass
the test?

I also ran into
some issues using JS remoting (via Neuromancer) against a CFC-based web
service.  I had a lot of issues with getting that all working on
BD when I first wrote the app, so I suspect I ended up implementing
some stuff that wasn't quite CFMX-compatible, but I can't say that with
conviction, so I left it off the list of definite bugs.  The fix
was simple to make, so I'm not going to worry about it.

So there they are, four (and a half) points to watch out for when
moving from BD to CFMX.  As I said above, I'm not bitter, because
in every case the issue arose because I made an honest mistake in
coding, and BD did what I meant without
throwing an error.  Of course, in every case, BD was incompatible
with CFMX, but I'm going to put that behind me.  So if you're
developing on BD and planning to deploy to CFMX, watch out for these
gotchas.  Catching them as you code isn't a big deal, but having
to sweep an app for this type of stuff at deploy-time would be a bear,
especially if it's large.  The first two are compile-time errors,
so they'll be caught easily, the third will be apparent as soon as you
try to log in, but the fourth will require careful unit testing to
catch, because it's a data-dependant runtime bug.

Posted in

The Musical Meme

By barneyb on May 19, 2005

Thanks to my dear friend Simeon, who not only sent me this, but pressured me into actually doing it.   Grumble…..

Total Volume (of my MP3 library): 5.32 GB

Last CD Bought: No idea, been too long.  Probably Billy Joel's Greatest Hits Vol. III

Song Playing Right Now:
"Save Me" – Aimee Mann

Five Songs I Listen To a Lot:
(I usually just listen to random selections…)

- "Lay My Love"- Brian Eno
- "Disarm"- The Smashing Pumpkins
- "Heart and Soul"- T'pau
- "Numb"- U2
- "Nightswimming"- REM

Five Three People to Whom I’m Passing the Baton:
(sorry, folks!)

Heather Boisvert (my wife)
Peggy Boisvert (my sister)
Carole Karnofski (schoolmate for 13 years)

Posted in

CFARGUMENT/CFPARAM and DEFAULT

By barneyb on May 18, 2005

Say I have code like this (intentionally left incomplete):

<cffunction name="myMethod" …>
  <cfargument name="item" … required="true" />
  <cfargument name="childList" … required="false"
    default="#getChildList(item.id)#" />
  … do some stuff …
</cffunction>

Now you'd hope that CF wouldn't actually execute the getChildList
method unless it the variable was missing, but from the structure of
code, you might expect it to anyway.  Fortunately, CF will NOT
execute the default expression unless the variable is, in fact, missing.

Now consider this code:

<cfparam name="childList" default="#getChildList(item.id)#" />

In this case, the default expression will execute, regardless
of whether the 'childList' variable already exists.  A little
inconsistency in the language that has the potential to bite you, if
you're not careful.

Posted in

XPath, xmlSearch, and Namespaces

By barneyb on April 27, 2005

I've been doing a bunch of XML stuff over the past few days, and ran
into an interesting issue.  If you have a default namespace
defined in a document that you're going to run xmlSearch on, you have
to respect that namespace.  What does that mean?  You need to
prefix your element names with a colon.  Take these three examples
(for searching an RSS feed):

XMLSearch(rss,"/rdf:RDF/item")
XMLSearch(rss,"/rdf:RDF/:item")
XMLSearch(rss,"//:item")

The first one doesn't work, because the 'item' element belongs to
the default namespace, not to the null namespace, so it needs to be
explicitly qualified as in the second and third lines.

Much thanks to Pete Freitag and Sean Corfield (the 3rd comment) for making this solution known.

Posted in

Fusedocer Updated

By barneyb on April 19, 2005

A long while ago, I wrote a utility called Fusedocer that parses a Fusebox 3 application and generated per-fuse documentation similar to the way JavaDoc works. It was quite useful at the time, but since I moved to Fusebox 4, I'd almost forgotten about it. Turns out people are still using it though, since I got an email this morning from a guy in the Netherlands saying it didn't work on CFMX. More specifically, that it wasn't detecting any of the fuses in the circuits, so it wasn't actually generating anything. He'd also isolated the problem: I was using a filter on a cfdirectory call that CFMX wasn't handling correctly.

The filter was [a-zA-Z]{3}_*.cf*, which apparently worked on CF4.5 (what I was running when I wrote the app), but no longer works on CFMX. The fix was simple, just change it to *_*.cf*, and everything started working. I've uploaded a new version of the utility to the Fusedocer page, so you can get the CFMX-compatible version if you want it.

Update: Since my server crashed last year, the /go/ URLs have been broken, and the links above haven't worked. The ZIP file can be downloaded here.

Posted in

« PreviousNext »