ColdFusion Ajax Debugger Ignores CFSETTING

7

Posted in ColdFusion | Posted on 08-15-2007 | 5,730 views

I'm not quite sure I'd call this a security risk, but it is something you should be aware of. I typically use this line in my open source applications to ensure that debug information doesn't show up, even if the server has it enabled:

view plain print about

1<cfsetting showDebugOutput="false">

This will suppress any debugging information from showing up in the browser. However - it doesn't seem to work with ColdFusion Ajax debugger. If the Ajax debugger is enabled in the ColdFusion Administrator and if you pass ?cfdebug=1 in the URL, it will always show up, even with the setting. (A bug is already filed with Adobe on this one.)

FYI - this was logged as bug 70324.

Comments

[Add Comment] [Subscribe to Comments]

Nick said on 08-15-2007 at 9:49 AM #
	70,000 bugs, man, CF IS DEAD!!

Richard Davies said on 08-15-2007 at 10:55 AM #
	I just tried it on my local developer edition server and turning off the debugging output actually did work correctly, even with the AJAX debugger enabled...

Raymond Camden said on 08-15-2007 at 11:06 AM #
	But did you have ?Cfdebug=1 in the URL?

Richard Davies said on 08-15-2007 at 12:06 PM #
	Yes, I did have ?cfdebug=1 in the URL.

Raymond Camden said on 08-15-2007 at 12:33 PM #
	Odd. My contact @ Adobe did verify it though.

Richard Davies said on 08-16-2007 at 11:35 AM #

After reading Sarge's blog post about this, I realized that I misunderstood your post. I thought you were indicating that the normal debugging information on the page wasn't being turned off with the setting when the page contained the AJAX debugger query parameter.

I now realize that you meant that the AJAX debugging information is still appearing irregardless of the <cfsetting>. I apologize for my inability to read... ;-)

Raymond Camden said on 08-16-2007 at 12:15 PM #
	Whew - thought I was crazy there. ;)

[Add Comment] [Subscribe to Comments]