ColdFusion Ajax Debugger Ignores CFSETTING

I'm not quite sure I'd call this a security risk, but it is something you should be aware of. I typically use this line in my open source applications to ensure that debug information doesn't show up, even if the server has it enabled:

<cfsetting showDebugOutput="false">

This will suppress any debugging information from showing up in the browser. However - it doesn't seem to work with ColdFusion Ajax debugger. If the Ajax debugger is enabled in the ColdFusion Administrator and if you pass ?cfdebug=1 in the URL, it will always show up, even with the setting. (A bug is already filed with Adobe on this one.)

FYI - this was logged as bug 70324.

Archived Comments

Comment 1 by Nick posted on 8/15/2007 at 6:49 PM

70,000 bugs, man, CF IS DEAD!!

Comment 2 by Richard Davies posted on 8/15/2007 at 7:55 PM

I just tried it on my local developer edition server and turning off the debugging output actually did work correctly, even with the AJAX debugger enabled...

Comment 3 by Raymond Camden posted on 8/15/2007 at 8:06 PM

But did you have ?Cfdebug=1 in the URL?

Comment 4 by Richard Davies posted on 8/15/2007 at 9:06 PM

Yes, I did have ?cfdebug=1 in the URL.

Comment 5 by Raymond Camden posted on 8/15/2007 at 9:33 PM

Odd. My contact @ Adobe did verify it though.

Comment 6 by Richard Davies posted on 8/16/2007 at 8:35 PM

After reading Sarge's blog post about this, I realized that I misunderstood your post. I thought you were indicating that the normal debugging information on the page wasn't being turned off with the setting when the page contained the AJAX debugger query parameter.

I now realize that you meant that the AJAX debugging information is still appearing irregardless of the <cfsetting>. I apologize for my inability to read... ;-)

Comment 7 by Raymond Camden posted on 8/16/2007 at 9:15 PM

Whew - thought I was crazy there. ;)