ColdFusion Ajax Debugger Ignores CFSETTING

coldfusion (This post is more than 2 years old.)

I'm not quite sure I'd call this a security risk, but it is something you should be aware of. I typically use this line in my open source applications to ensure that debug information doesn't show up, even if the server has it enabled:

<cfsetting showDebugOutput="false">

This will suppress any debugging information from showing up in the browser. However - it doesn't seem to work with ColdFusion Ajax debugger. If the Ajax debugger is enabled in the ColdFusion Administrator and if you pass ?cfdebug=1 in the URL, it will always show up, even with the setting. (A bug is already filed with Adobe on this one.)

FYI - this was logged as bug 70324.

Hire Me!

I'm currently looking for my next role in developer evangelism and advocacy. I have a long history of helping companies work with developers and love to write, create demos, and present at conferences. You can find my resume to learn more and drop me an email (raymondcamden@gmail.com) to reach out.

Support this Content!

If you like this content, please consider supporting me. You can become a Patron, visit my Amazon wishlist, or buy me a coffee! Any support helps!

Want to get a copy of every new post? Use the form below to sign up for my newsletter.

Archived Comments

Comment 1 by Nick posted on 8/15/2007 at 6:49 PM

70,000 bugs, man, CF IS DEAD!!

Comment 2 by Richard Davies posted on 8/15/2007 at 7:55 PM

I just tried it on my local developer edition server and turning off the debugging output actually did work correctly, even with the AJAX debugger enabled...

Comment 3 by Raymond Camden posted on 8/15/2007 at 8:06 PM

But did you have ?Cfdebug=1 in the URL?

Comment 4 by Richard Davies posted on 8/15/2007 at 9:06 PM

Yes, I did have ?cfdebug=1 in the URL.

Comment 5 by Raymond Camden posted on 8/15/2007 at 9:33 PM

Odd. My contact @ Adobe did verify it though.

Comment 6 by Richard Davies posted on 8/16/2007 at 8:35 PM

After reading Sarge's blog post about this, I realized that I misunderstood your post. I thought you were indicating that the normal debugging information on the page wasn't being turned off with the setting when the page contained the AJAX debugger query parameter.

I now realize that you meant that the AJAX debugging information is still appearing irregardless of the <cfsetting>. I apologize for my inability to read... ;-)

Comment 7 by Raymond Camden posted on 8/16/2007 at 9:15 PM

Whew - thought I was crazy there. ;)