@dacCfml We do know this has to be fixed! we are working on Linux support for the new PDF engine as we speak. #ColdFusion
— Adobe ColdFusion (@coldfusion) March 12, 2014

Ram Kulkarni // Mar 11, 2014 at 7:49 PM
@Danny, ColdFusion Thunder can now run on Linux. I forgot to list this point. I have updated the post now.

// TestExecutionSequence.cfc
component extends="testbox.system.testing.BaseSpec" {

    function beforeAll(){
writeOutput("in beforeAll()<br>");
    }
    function afterAll(){
writeOutput("in afterAll()<br>");
    }

    function run(){
writeOutput("top of run()<br>");

        describe("outer describe", function(){
writeOutput("top of outer describe()'s callback<br>");

beforeEach(function(){
writeOutput("in outer describe()'s beforeEach()<br>");
            });

afterEach(function(){
writeOutput("in outer describe()'s afterEach()<br>");
            });

            describe("inner describe", function(){
writeOutput("top of inner describe()'s callback<br>");

                beforeEach(function(){
writeOutput("in inner describe()'s beforeEach()<br>");
                });

                afterEach(function(){
 writeOutput("in inner describe()'s afterEach()<br>");
                });

                it("tests the negative", function(){
writeOutput("top of inner describe()'s first it()'s callback<br>");
                    expect(sgn(-1)).toBeLT(0);
writeOutput("bottom of inner describe()'s first it()'s callback<br>");
                });

writeOutput("bottom of inner describe()'s callback<br>");
            });

            it("tests the truth", function(){
 writeOutput("top of first it()'s callback<br>");
                expect(true).toBeTrue();
writeOutput("bottom of first it()'s callback<br>");
            });

            it("tests falsehood", function(){
writeOutput("top of second it()'s callback<br>");
                expect(false).notToBeTrue();
writeOutput("bottom of second it()'s callback<br>");
            });

writeOutput("bottom of outer describe()'s callback<br>");
        });


        describe("second outer describe", function(){
writeOutput("top of second outer describe()'s callback<br>");

            it("tests the absolute", function(){
writeOutput("top of second outer describe()'s first it()'s callback<br>");
                expect(abs(-1)).toBe(1);
writeOutput("bottom of second outer describe()'s first it()'s callback<br>");
            });

writeOutput("bottom of second outer describe()'s callback<br>");
        });

writeOutput("bottom of run()<br>");
    }

}

beforeAll()

beforeAll() and beforeEach()

Nested describe()

Luis, we discussed this briefly @ SotR.

Currently one can specify a expression to use for a $results() value, and the value of that expression is then used as the results for the mocked method.

It would be occasionally handy for some stub code to be run to provide the results when a mocked method is called. This could be effected by being able to pass a callback to $results(), which is then called to provide the results when the mocked method itself is called.

Ideally a mocked method should always be able to be fairly dumb, but sometimes in an imperfect world where the mocked method has other dependencies which cannot be mocked out, an actual usable result is necessary. We've needed to do this about... hmmm... 0.5% of the times in out unit tests I think, so this is quite edge-case-y.

Cheers.

someObject.$("methodToMock").$results(0,1,2,3,4,etc);

// C.cfc
component {

    public struct function getStructWithUniqueKeys(required numeric iterations){
        var struct = {};
        for (var i=1; i <= iterations; i++){
            struct[getId()] = true;
        }
        return struct;

    }

    private string function getId(){
        // some convoluted way of generating a key which we don't want to test
        return ""; // doesn't matter what it is, we won't be using it
    }

}

// TestMxUnitCompat.cfc
component extends="mxunit.framework.TestCase" {

    function beforeTests(){
        variables.testInstance = new C();
        new testbox.system.testing.MockBox().prepareMock(testInstance);
        testInstance.$("getId").$callback(mockedGetId);
    }

    function testGetStructWithUniqueKeys(){
        var iterations    = 10;
        var result        = testInstance.getStructWithUniqueKeys(iterations=iterations);
        assertEquals(iterations, structCount(result), "Incorrect number of struct keys created, implying non-unique results were returned from mock");
    }

    private function mockedGetId(){
        return createUuid();
    }

}

// TestMockUsingCallback.cfc
component extends="testbox.system.testing.BaseSpec" {

    function beforeAll(){
        variables.testInstance = new C();

        $mockbox.prepareMock(testInstance);
        testInstance.$("getId").$callback(function(){
            return createUuid();
        });

        testInstance.$("getTomorrow").$callback(mockedGetTomorrow);

        testInstance.$("emphasiseString").$callback(function(s){
            return "<em>#s#</em>";
        });
    }

    function run(){
        describe("Test getStructWithUniqueKeys() which has had its call to getId() mocked-out", function(){
            it("returns a correctly-sized struct", function(){
                var iterations = 10;
                var result = testInstance.getStructWithUniqueKeys(iterations);

                expect(structCount(result)).toBe(iterations);
            });
        });

        describe("Test getTomorrow(), which has been mocked with a predefined-function not a function expression", function(){
            it("returns returns tomorrow's date", function(){
                expect(
                    dateCompare(now()+1, testInstance.getTomorrow(), "d")
                ).toBe(0);
            });
        });

        describe("Test mocked emphasiseString(), which takes an argument", function(){
            it("uses the argument", function(){
                var result =  testInstance.emphasiseString("G'day World");
                expect(result).toBe("<em>G'day World</em>");
            });
        });
    }

private function mockedGetTomorrow(){
        return dateAdd("d", 1, now());
    }

}

Thank you to everyone who has donated. It isn't easy to step up and ask for help like this, so you... http://t.co/jAMm3iJkDJ
— Jared Rypka-Hauer (@ArmchairDeity) March 13, 2014

If there's a case to address, and this is a sensible way of dealing with it: no problem. However we didn't know (beyond speculation) whether either of those is true. Rupesh has now clarified there is a case to address, but I remain skeptical as to whether this is at all a sensible approach.

It comes down to communication, and Adobe's seeming inability to do it coherently. On the face of it this was just a stupid thing to do, especially when the rationale was no more developed than "because security". Part of dealing with security responsibly is to communicate the situation. Not to detail the instructions of how to implement the exploit, but at least documenting what the issue is actually addressing. Even had Adobe implemented a more even-handed solution from the outset, without explaining the situation, the community cannot make an informed decision as to whether it's a ill-conceived annoyance that might as well be disabled, or the most critical and real threat ever. I still think this one falls closer to the former than the latter.

Furthermore, without discussion and input from the community, I will never be certain (nor should any of us be) that Adobe are actually addressing the issue sensibly, or just giving it a quick hack by way of lip-service. Let's face it: they do have a habit of doing the bare-minimum amount of work necessary to be able to look themselves in the mirror (although they set a low tide mark even for that).

• Rupesh Kumar

  6:51:43 AM GMT+00:00 Mar 13, 2014

  As I said earlier, this basically provides a way to you to decide what you want to compile and what not, when the file is being included. This was added after we saw few cases where an application included a file and somehow the bad guys were able to write to this file being included. The file in one of the case was actually a log file where the application was logging invalid user input apart from other errors/log messages. As you would figure, the bad input was actually some CFM code which went into the log file and when this got included, the user given code got executed. The application had not expected this file to be compiled. As we understand, there are many applications which use cfinclude to include static content. 
  
  This is a good change. You are getting a control to decide what to compile. You will also get some performance improvement because your JS, HTM, CSS files would not be compiled, loaded and processed by the server. If you don't need any of this and want to compile everything, you can always use "wildcard". 
  
  To answer whether this should be given as an update to CF 9 & 10, we would not want to break applications while applying updates in their production servers. We can add this where by default we would allow all the extensions to be compiled which then does not fix anything immediately. So how do we go about it? Do you think it needs to be made available in CF 9 & CF 10?

1. baddies access the system via ColdFusion Administrator by circumventing login security
2. baddies can write to files
3. baddies can execute the files

1. The baddy has the ability to write their own CFM file to the file system, to include the nefarious code. If they can do that... they don't need the .log or .txt file, they can just use their own .cfm file;
2. An existing application has <cfinclude> code in place which can be manipulated via the URL (or form, or some manner of external-user input) to directory-traverse to where the nefarious code is an inadvertently include it. Basically something like this:
   
   <cfinclude template="#URL.fileToInclude#">
   
   The weakness here is that someone might pass ../../../path/to/naughty/code.log, and ColdFusion will execute it. Obviously if one is doing something as ludicrous as that - without very strict validation - one one ought to be shot. But also validate the value of URL.fileToInclude so that it can only reference the intended range of files. But Adobe cannot control the crappy code developers will write.

Where scheduled tasks can write files

What scheduled tasks can write

From where code can be included

How code is executed

<cfinclude template="foo.notCfm"><!--- process as per usual --->
<cfinclude template="foo.notCfm" compile="true"><!--- definitely compile it --->
<cfinclude template="foo.notCfm" compile="false"><!--- definitely don't compile it ---> 

cfmap

Listing 1 : exampleUsingCfMap.cfm

<cfmap
    centerlatitude    = "-37.0477058"
    centerlongitude    = "174.500332"
    type            = "satellite"
    zoomlevel        = "16"
    width            = "800"
    height            = "600"
/>

Listing 2 : exampleUsingGoogleMaps.html

<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="exampleUsingGoogleMaps.css">
<script src="https://maps.googleapis.com/maps/api/js?v=3.exp&sensor=false"></script>
</head>
<body>
<div id="map-canvas"></div>
<script src="./exampleUsingGoogleMaps.js"></script>
</body>
</html>

Listing 3 : exampleUsingGoogleMaps.js

var map;
function initialise() {
    var mapOptions = {
        zoom        : 15,
        center        : new google.maps.LatLng(-37.0477058,174.500332),
        mapTypeId    : google.maps.MapTypeId.SATELLITE
    };
    map = new google.maps.Map(document.getElementById('map-canvas'), mapOptions);
}

google.maps.event.addDomListener(window, 'load', initialise);

Listing 4 : exampleUsingGoogleMaps.css

html, body, #map-canvas {
    width    : 800px;
    height    : 600px;
}

Resources

• Google Maps API documentation

Alternatives

• TBC

• the server was exploited via poor security in ColdFusion;
• the server did not have a patch applied that would have mitigated the issue;
• the server was not appropriately locked down for a production server, irrespective of patch level.

1. the default install process leaves a large security vector exposed to the world, in that it exposes /CFIDE to the public by default;
2. the exploiters used that vector and a general poor approach to security and password management in ColdFusion Administrator to breach Coldfusion servers.

• According to ColdFusion "0,6" == "6,0". And both are integers to boot
• isValid(). Groan
• Can we please agree that Adobe is not the arbitor of what constitutes an integer?
• Fixing any bug has backwards compatibility concerns
• Of integers and indolence

<cfoutput>
<cfset notAnEmailAddress = " not.valid@example.com ">
isValid("email","#notAnEmailAddress#"): #isValid("email",notAnEmailAddress)#<br>

<cfset notANumeric = " 1 ">
isValid("integer","#notANumeric#"): #isValid("integer",notANumeric)#<br>
isValid("numeric","#notANumeric#"): #isValid("numeric",notANumeric)#<br>
isNumeric("#notANumeric#"): #isNumeric(notANumeric)#<br>
isValid("float","#notANumeric#"): #isValid("float",notANumeric)#<br>

<cfset notAUuid = " #createUuid()# ">
isValid("uuid","#notAUuid#"): #isValid("uuid",notAUuid)#<br>
</cfoutput>

This is just a quick survey to gauge how effective Adobe have been at communicating to their clients regarding security issues that have arisen in ColdFusion

I have been developing cf since the 1st version what was made way back when. It was attractive because it was easy and easy to make a database enabled application. I think the community has ruined CF. Ya all want to code in java script make everything OO, put everything in a cfc. make a bunch of simple stuff terribly complex. Phone gap mobile apps just add to that. CF should be simple, auto generate everything, and make all the jquery bs and the ajax that goes with it be behind the scenes. CF was once easy and simple and I could hire an 8th graded to code it, and it worked great. Ya ruined that and now cf sucks more than ever. Just saying..

This is just a quick survey to gauge how effective Adobe have been at communicating to their clients regarding security issues that have arisen in ColdFusion

Q1: Have you supplied Adobe with legitimate and currently-accurate contact details when downloading or purchasing ColdFusion?

Q2: Do you hold an account with Adobe for any other reason, for which you have supplied currently-accurate contact details?

• I have an account which has currently-accurate contact details
• I have an account but the contact details are not accurate
• I do not have an account with Adobe

Q3: Were you notified when Adobe had everyone's account details stolen from them, and did they advise you to change your password? 

Not for corporate account but general Adobe one

I don't think so, but I don't remember for sure.

I received about 70(!) notices of password resets on a slew of test accounts I had created over the years.

I was notified three times, over the space of a month or so (all for the same account)

Q4: Have you ever been directly notified by Adobe regarding security issues in ColdFusion, be they patches or simply notifications of exploits?

Never received any email regarding ColdFusion.

Once I signed up for the mailing list.

Not that I recall.

Not that I can recall.

They never release anything except to the person who purchased the product. Often times I only realize it by the little explosion icon saying there is an update in cfadmin.

Yes, when signed up to the Adobe alert notification at http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert

Outside of the account breach I don't believe I've ever been notified. I *DO* however always get a followup email after I have downloaded ColdFusion asking me about my experience / sales pitch. So they have my address, and know I'm using ColdFusion :)

How about sending materials out to all the CFUG's? User groups don't exist solely to echo Adobe marketing you know. They'd be glad to help out.

Not as far as I can recall.

Q5: What is the primary way you find out about security issues in ColdFusion?

• Adobe Security Bulletins (notifications delivered to you)
• Adobe ColdFusion Blog
• Adobe ColdFusion Forums
• Adobe ColdFusion Team Twitter statuses (@ColdFusion)
• From the ColdFusion community (blogs, Twitter traffic, etc)
• Other (please specify)

The Adobe ColdFusion Facebook page. I've signed up for security bulletins now, thanks to this survey, I assume now I am going to get bulletins regarding all their products rather than just ColdFusion :(

It's random.

ColdFusion updated.

coldfusionbloggers.org

I actually use all of these because... I had signed up for the security bulletin emails but I never would receive any of them. I finally had to sign up again under a different email address to begin receiving the emails. To this day I never found out what the issue was with the original email I used. Regardless I still check all of these streams because I can't rely on Adobe to let me know.

Mainly community and news sites. Often when looking for bug fixes that might be in hotpatches.

Depends. Adobe Security Notifications most of the time, HackMyCF email notifications are most reliable though. Even remember when one patch seemed to be announced on Facebook first.

Multiple ways. Again from the Adobe notification from above and twitter. Honestly, the Adobe ColdFusion Blog does not communicate that well. Usually any notification there is cryptic and has to be corrected via comments on the blog post

Q6: Reaction to comment

In regards to this article - http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/ - which details hackers exploiting an insecure and unpatched ColdFusion server to steal data, how reasonable do you think this conclusion is: "the story is not about ColdFusion fails at all, but about IT failing to keep servers up to date to deal with already addressed security holes".

• Very reasonable
• Somewhat reasonable
• Neither reasonable or unreasonable
• Somewhat unreasonable
• Very unreasonable

Maybe IT knew about the exploits but weren't given the time of day by their management to make the fixes. I think it's as likely that bad management is to blame as IT's lack of knowledge. I think that patches are slow to be released by Adobe too, but that's not exclusive to Adobe. I don't feel it was CF's fault.

One of the servers in that article is one that I had to fix after it was exploited. The server wasn't fully patched and it was assumed the hosting company was doing updates.

Every system has security issues. It is up to us as a user or administrator to patch the system. The vendor has done its job by providing a patch and announcing it. However in this particular case, it would be better if ColdFusion has an auto update like in Windows or OS X. And, make sure every current or potential customers receive the information.

The servers should be able to check for updates and notify you through its own cfmail.

The truth is that admins did not patch their servers, but the story came across as blaming the use of ColdFusion, patched or not. I see very few stories about data breaches that blame the admins. Generally whatever software is being used takes the blame. This is not just for ColdFusion, it's just that CF doesn't seem to get any positive press, and Adobe sits quietly while their product takes a beating.

I would say that ultimately, IT administrators are at fault if their servers aren't fully patched. However, given how painful, complicated, and frought with opportunities for screwing up a ColdFusion installation were with the way updates were installed on ColdFusion 9 and below, I give admins a little bit of a break. Just think: how many blog articles has Charlie Aerhart written to explain how to install the various updates and hotfixes for ColdFusion 9?

I'm still on cf9 in production, so patching isn't easy. Generally it's a complex manual process, and the directions need some careful consideration to follow. Making a mistake can take a server down. And as this survey points out, notification doesn't arrive in my inbox, I need to stumble upon it somehow. Compare that with Centos, for instance, a free open source OS. I get email notifications the moment patches are released and an update is just a few command line keystrokes away. No complex instructions, manual downloads, etc to put me off doing it until I have my wits about me in a calm, distraction free moment (hour or two ...) I'm also reminded of the lockdown guide. I'm grateful the Pete Freitag wrote it and put it out there for free, but one gets the impression that he withholds enough information, and / or glosses over it, to make it at least somewhat likely that he's hired as a consultant. This should be coming from Adobe, not a private consultant with an interest in obtaining clients who apparently develops it in his spare time. And it should come with the documentation when the product is released, not a year afterward, which has been the case with the lockdown guide. To be fair to Pete, I don't think he's being paid to produce this, he likely can't afford to make it comprehensive. And yet, it's a key document underpinning CF security. Without it, securing a cf server would be much more difficult, utterly susceptible to misinformation, as amateur opinions traded and debated online would be the only source of information. But all that said, Adobe should be responsible for developing and providing this information! It should not be left to a single person with a family to support to do it in his spare time when he can get to it. I think this is a root of ACF's security problem.

The public perception has obviously been affected by the high profile articles on this topic. It seemed to me , in most cases, a good majority were versions that had not been upgrade or patched. There's only so much hand holding a company can do on that end of things.

I would have to lay partial blame on the company's IT department because the resources and tools are out there to guide you through the process of properly locking down a production ColdFusion server. That being said, I would lay equal, if not more, blame on Adobe for not communicating the importance of locking down a production server and/or making the process of locking down a production ColdFusion server easier. ColdFusion has never been an easy server to configure and manage, perhaps it's all the non Adobe moving parts (eg. various versions of IIS, apache, etc), at least that's what Adobe will tell you, but it seems like there's real room for improvement.

It is reasonable, however, all it takes is 1 unpatched server to bring down a company's product. This has happened in other languages too, but honestly, no one is running those types of applications in those languages so the global impact is minimal.

It is a failure of CF in being as open by default as it is. However, it is also largely a failure in that firms don't want to pay the high upgrade fees, so will often use older versions for a long time. This cost also leads to there being just one production server, no good testing environment where updates can be tested before deployment to prod. Also, I believe too often admins know very little about how to work with CF and will often just leave CF up and running with no action. Finally, too often the CF Dev is the admin as well, so updating the server may be at the back of their mind, but getting their regular day to day work done first takes priority. After writing all of that, I think it it actually maybe more of an Adobe Fail than a CF fail - the marginalized nature of the language just makes IT support for it more costly and difficult.

CF is a enterprise class product it should be secured and as bulletproof as possible. You wouldn't buy a Ferrari and anticipate needing to upgrade it's door locks or blame your mechanic for not knowing the door lock should be replaced.

That statement is not a complete picture and ignores the fact that there was indeed a significant security hole in ColdFusion.

The reality of the matter is that there are way TOO MANY unsecure ColdFusion servers out there. All one has to do is read the list of servers attacked by Laurie Love just in the New Jersey indictment, http://www.justice.gov/usao/nj/Press/files/Love,%20Lauri%20Indictment%20News%20Release.html Adobe does themselves no favor in that ColdFusion is not installed by default with secure settings. Microsoft learned this lesson with IIS, Adobe hasn't learned this. Also "Secure Profile" isn't all that secure. All the recommendations in the lockdown guides need to be integrated directly into the installer, not a separate guide that an admin might see. If they can't, the links to the guides need to be lit up in bright neon saying your install is not secure unless you do this. The other problem is patching ColdFusion before 10 (and still in 10, all the various instructions of do you need to re-run the connector or not) isn't easy. They expect people to upgrade to get bug fixes that have been broken forever (wait "works as designed", "deferred/not enough time", or "backwards compatibility"). And when they DO get a bug fix out how many times has it had to be re-released due to shit QA or it breaks something else unrelated (spreadsheet functionality) or introduces a vulnerability. This is what people are PAYING for and they wonder why it is "dying". Perception is reality, if a CIO has it in his head that ColdFusion in their environment is a huge risk, they are going to get it out of there. Without a quality message to the opposite from Adobe, it will persist. As seen with eLightBulbs.com, people don't upgrade if it is working for them and there are no compelling business reason to upgrade, regardless of the "new shiny" or latest (3 year old) mobile/social trend Adobe has targeted for "Enterprise Customers".

It's about CF fails to a certain extent, too. Unfortunately Adobe makes it impossible for sysadmins to keep on track with updates. Even in CF 10 where they have introduced some level to automated system, some patches are a pain in the neck to install. One wonders why Railo can do incredibly simple "2 mins" patching (or even fully automated) and Adobe can't.

Every time you have to patch an application server, you have to re-test everything. Some of ColdFusion's security patches have broken previously working code.The login / authentication security hole was actually INTRODUCED BY ADOBE as a hotfix for CF8 - and then left open in CF9 and CF10!

The admins are at fault, sure. But it's Adobe's fault the situation was there in the first place. It's because of the ColdFusion security hole that this became "a thing", not because the admins didn't patch something.

Q7: what do you think?

In your opinion should Adobe actively attempt to contact their client-base when (any?/significant?) security breaches in ColdFusion are identified, or is it the responsibility of the ColdFusion system administrators to ensure they are aware of and act upon security issues that might arise (and/or add any other comments you like; this is the last question, so have your say).

yes absolutely

It would make everyone's life easier if Adobe made it more obvious in My Adobe area how to register for security advise. It's a bit buried away in it's current form.

If there is no communication from Adobe, sys admins will not be urged to patch servers immediately. In a perfect world, servers/software will be up to date, but this doesn't happen. If Adobe doesn't inform their clients about security related issues with current versions, nobody will put in their time to investigate IF something is going on security wise with their CF installs. Pro active information from Adobe is very needed and the current way of handling these issues is a big show stopper for me to continue to work with Adobe coldfusion. I switched over to Railo and sticking with them.

Both... I believe Adobe should communicate better and more, but it's also the administrators responsibility to keep their servers up to date. It shocked me several times already when I'm consulting at clients and figure out the server administrators don't know where to find the information. They should look harder and at the same time Adobe should make it easier to find it.

They should be issuing notices, but it is also my job to make sure all our servers are patched.

I think one should opt out about these notifications.

Yes, they should make it one of their primary responsibilities. It's certainly not difficult to send out e-mails to their customers or even take the time to call their contacts directly. Why not put them in contact with their vendors for hardening their servers?

They should attempt to contact their client-base for any security breaches. They should do this via email, blogs, twitter or any other means of contact they have. That said, it's still the responsibility of the ColdFusion system administrators to ensure they're aware of any issues.

The only time Adobe has contacted me after downloading a product is to attempt to sell me more products. I suggest they implement something like their Adobe Cloud application for CF Developers and Network Administrators that proactively checks for updates and announcements.

I think Adobe definitely needs to be better at providing information about security patches. In the past I signed up for their security patch notification list, but I never saw any patch announcements. That said, knowing that Adobe does not announce these, server admins should be watching other sources to find vulnerabilities. There are a lot of 3rd party security notification services that would keep you informed. Also, CF 10 will tell you when patches are available (in CF Admin), so if you're lucky enough to have CF 10, you just need to pay attention when you go into the CF Admin.

There should be an option in your adobe profile to receive communication regarding patches and security issues that is enabled by default, but can be disabled.

Of course, Adobe should actively attempt to reach out their customers. On the other end, administrators are responsible to patch their system. Perhaps, both parties need to improve their communication, so they can act in timely manner.

I think Adobe should generally be more organised. Their bulletins are all over the place and are even sometime updated days after being initially published. There's not one master source of information. Sometime I hear about it in their blog, sometime not. The auto updater is a step forward but for Cf 9 it's not an option. The fact that things like unofficial updater 2 even exist should have them in shame.

Adobe should make every effort to contact its customers when there's a known security issue.

Adobe should proactively attempt to contact anyone that has ever dl'd CF to make them aware of patches when released, whether the patches are security related or not. CF10 makes life easier, but I still need to log in to my CF10 server to find out if patches are available - that reminds me, gonna do that now.

It should be both.

Yes, Adobe should contact their client base when security breaches in ColdFusion are identified

Both. Adobe should push notifications to all CF system administrators. At the same time, those system admins should be keeping up with what's going on in their community.

I don't belive Microsoft contacts their client-base every time there is a security patch in Windows or Office products. They just push out the fixes on patch Tuesday. When there is a dangerous zero-day security issue, they may release a patch on a non-scheduled day, but I don't thing they actually notify clients - usually such issues get a fair amount of media attention which gets the word out. With the updater built into CF10/11, putting out security fixes becomes easier - but admins still need to stay on top of their servers and install the updates. Security issues still need to be communicated to the customers so they know immediate action is necessary. So many organizations are still running on ColdFusion 9, so Adobe still needs to contact clients directly when security issues are uncovered and fixed. Those customers unwilling to upgrade to currently supported versions of ColdFusion (i.e. version 8 or below, and for whatever reasons) really have no one to blame but themselves if they fall prey to a security breach.

Adobe notifying their client base would be a big plus. Unfortunately, Adobe has never really been that kind of company. Any decent admin will have other sources of security/patch information and stay well informed.

Absolutely! I pay for licenses and support. If Centos can do this, they can. And as I said, they should also be responsible for developing, testing and publishing the lockdown guide, and it should come out as or before a server version is released!

Yes, it's their language and their profit margins that are on the line, as well as our necks!

I think System Administrator should be aware of all the security issues and if any patches are released it should be acted immediately in test server and in production

It might help them to keep some of their remaining customers. The whole CF10 debacle (like patches that destroy your scheduled tasks setting) and Adobe not being able to secure even their server (well, they're only a company that DEVELOPS AND SELLS server software and wants to advise their customers on how to secure their servers). were the last straw (after other insults like making so many features unusable in the Standard edition for the license to become a waste of money) and we migrated our company to Railo.

Yes, Adobe should notify the client base when security issues occur, and yet it is the responsibility of the system admins and developers to make sure they are on top of the issue, and not just depend on vendors for notification. The current hole is the communication is not just that the security issues exist, but the best way to fix them when they occur.

Primary it is the CF SA's responsibility. BUT in case of major threat, a direct contact from Adobe wouldn't hurt.

Sys admins.

It should be the SA's responsibility to provide proper contact information to Adobe and maintain it's currency, and Adobe should be responsible to provide that information to those individuals. Adobe should also make it easy to find news about recent issues.

Any help a vendor can provide makes them a more valuable vendor to keep in the future.

There is a grey area here for me on this question. I believe, since the the license information for the CF purchase is tied to an Adobe account, that efforts could easily be made to notify people in a more timely fashion for zero hour exploits. The other side to this is in certain companies, and organizations, the person that needs that notification would not be the email associated with the purchase. You then end up in a situation where some administrative assistant or purchasing agent is receiving the emails. I suppose you could tail this argument out of control and assess them marking it as spam/junk, clicking a link to not receive updates anymore, etc.

Yes, Adobe should actively attempt to contact their clients if they are aware of a security hole.

In my opinion ... Adobe should halt CF 11, make sure that the update process works seamlessly, configure the install of CF on all platforms so that it is hardened by default, and get the community and white hat hackers to pound it until people are as reasonably confident as possible that it as secure as possible. You know, bug bounties and all that. Of course new vulnerabilities might become known in the future, but that is what the update process is for. Once CF 11 is 'the most secure version of ColdFusion ever' then Adobe should release it and reach out to anyone who has purchased ColdFusion in the past as well as post in their blogs on their website and in their marketing to get people to upgrade. During the install process the user should be prompted to enter their email address to be notified of updates and security alerts. In the admin interface the user should likewise be able to subscribe to an update/security alert. Ditto on the Adobe website under your account. Adobe should hire and make known the name of the CF security officer responsible within the organization whose job it is to review incoming reports, bugs, news, follow the latest in web attack trends, etc who will be responsbile to make sure that security issues get a high profile within Adobe and that those are communicated to people who sign up for security notices. The person should have a blog and be approachable so that users with security questions can ask advice and get referrals. Through these kinds of steps Adobe can get in front of and put to rest this issue, which has the potential to continue to harm the product and its users. The old saying 'justice must not only be done, but be seen to be done' can be rephrased in this case as 'ColdFusion must not only be as secure as possible, but we must show the world that we will do whatever it takes to make sure it stays that way'. Good survey!

Yes, Adobe should actively attempt to contact their client-base when any security breaches in ColdFusion are identified.

When significant ColdFusion security breaches occur, it would be nice to receive alerts from Adobe, considering they already received our contact information when we registered with them. If nothing else, it would be nice to have RSS feeds for each product's security events. I find it kind of obnoxious that in order to receive security updates from Adobe (through email), I have to sign up to receive notices about ALL products. If I'm only interested in CF security bulletins, the community should have the option to only receive those updates.

If you're a registered user of ColdFusion, you should be actively contacted by Adobe when security breaches are identified. Since signing up for Security Bulletins and subscribing to the Adobe Product Security Incident Response Team (PSIRT) Blog, I will say that I'm happy with the level of communications regarding security issues in ColdFusion.

Yes, definitely

Yes, they should. I don't recall getting much information from them even though we have Gold support through them.

Adobe needs to take responsibility for the product that they are selling. If a LAMP site gets hacked, there is less 'salt in the wound' since the stack itself costs nothing. But justifying paying 7k+ one would expect a significantly higher level of security and some accountability in the event of a hack.

Both, but Adobe should be informing customers.

I think they both have the responsibility. As much grounds should be covered when security issues arise. Being 100% responsible for proactive actions should be the goal. Adobe needs to work on their communication skills, especially the upper management responsible for overseeing ColdFusion. And System administrators can't just sit back and assume all is right in the world. Not as long as we constantly have criminals looking for ways to steal data.

Admins are responsible. Security issues hit back to Adobe and the CFML community though. So better communication might pay off in the end.

It would be nice for Adobe to be more pro-active at pushing out security hotfix updates.

Both are responsible Adobe should contact the user base and make them aware. But any responsible Admin should be actively following the news etc for all the software installed on their server. --- Coldfusion is insecure by default. After installing it, admins are expected to make it secure. This is completely the opposite to what it should be.

Both. Adobe should have a plan and methods (email, social etc) to send out notifications, but the Sys Admins should still be on the ball.

Yes of course.

Adobe should actively attempt to contact their client-base. But even if they do so, this doesn't take the resonsibility from administrators to keep their systems up-to-date. Breaking into a CF Server through an openly available unsecured CFIDE dir isn't a security breach, IMHO. It's more like inviting trouble.

It should be the responsibility of both. Adobe should however make it as easy as possible to find out or stay updated. There should be no reason to not know. Additionally were all lazy by nature so making it easy is the most likely way to avoid future breeches.

Adobe needs to be much more active in communicating security issues, and in pushing those notifications to interested devs/admins. If they are not going to use our contact information, they should offer some sort of push-based mailing list we can register for through which they can deliver notifications directly to us.

Yes. The always seem to follow up when ever I download a copy of ColdFusion, it should become an automatic opt-in for security notices. For as big as Adobe is, you'd think they'd have a decent communication/pr groups but seems like those resources are not given to the ColdFusion team. Then again Adobe as a whole doesn't communicate well regarding security.

I'm 99% certain of signed up for Adobes security notices in the past but i honestly can't remember ever getting an email. I just signed up again. http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert

Both! Being/staying secure should never be optional knowledge. One or both sides would be pretty ignorant otherwise. People pay good money to have a secure (or as secure as possible) product produced and maintained by Adobe/ACF Team. Without a doubt, whatever contact info is stamped on the account referenced to said server license(s), Adobe should indefinitely contact that client regarding vital info and/or steps to prevent and lock down any potential issues; not just publicly on a website. This alone is a priceless value that renders Adobe more valuable to the client in my opinion. On the flip side, whoever is maintaining said server(s) should damn well be on their game in regards to keeping the environment patched and secure. Company protocols and the lot regarding what can be updated/upgraded else risk compat issues etc. can go to hell in this instance. If your CF server is out of date with patching and general lock down concepts, you need to get it patched. Period. If you host valuable/sensitive information then you should be taking this stuff serious. Period. This mindset shouldn't just apply for CF either! I'll note however that I do not expect every sysadmin or whoever maintains a given CF server to be up to date from the usual go-to internet sources for CF info like Twitter and CF Community Blogs (though I'd highly recommend it!). There are a solid number of 9-5ers who do what they do and leave it at work. Which is why the process should still circle back to it being on Adobe to at least _attempt_ to make more "personal" contact with their clients on updates/issues. Cheers!

I think it is a duel responsibility. As someone who recently had a coldfusion server compromised I squarely place the blame on myself for not keeping Coldfusion updated with the most recent patch. I do however think that Adobe has an obligation to notify customers. We are not talking about something here that is open source. The financial investment that is made when choosing Coldfusion should include a certain level of support.

Adobe has the email address of everyone who downloads cf and has purchased a license so I find it hard to think of a reason that adobe can't send a simple email out when a security risk.is identified. After all they have no problem sending emails to promote buying the latest adobe product.

I think it's their "moral duty" to expend whatever effort is required to make sure word about exploits and vulnerabilities gets out to as many people as possible. This requires multiple channels: social media, blog postss, direct emails and for those customers with Gold Support contracts I think that followup phone calls should be considered.

There should be a way to subscribe to bulletins posted, with an obvious way to sign up.

Yes!

Adobe needs to do a far better job at communicating important server updates.

Perhaps not for every single exploit, especially since there is an option to sign up now. However, given the severity and level of exploitation of some of the vulns released last year I would have actively sent out notification if I were them. That being said, I do not personally own any CF server licenses so I cannot confirm whether or not they contacted license holders.

Developers are not in most cases the system administrators. I have been suggesting since the Allaire days that you let people have a place to plug system administrators emails into the server. Maybe even prompt for them to be filled out the first few times you log in. Do not send any marketing whatsoever to these people, just emails notifying them of the need for updates along with clear instructions. Clear enough that someone who knows nothing about ColdFusion could follow. Maybe even grab their cell numbers and send them a text message. Lots of times these same people are constantly lobbying management to replace CF with ASP.Net, don't give them more ammunition. They're not going to say they failed to patch the server in a timely manner - they will blame ColdFusion!!!

Contact people. Make every attempt. Act like you care.

Yes. As a commercial product that we pay big bucks for, I would expect them to email and/or phone us to notify of updates and security issues. But they don't (at least not for CF9).

Absolutely they should let us know

yes

Certainly as soon as they have a fix for a security issue, Adobe should notify ALL ColdFusion customers in their database - including trial account users who have downloaded the affected version(s).

Yes they should attempt contact, but it is also a sys admin's duty to keep informed and updated/patched.

Adobe should use every means they have to let their customers / users / developers know when there is a secuirty hole in their software and that there is a patch / fix to be applied. That being said, it is still up to the admin / developers to be on the lookout for these things as well, thus the reason I subscribe to a number of blogs, follow a number of CF devs on twitter, have them on the FB and everything else I can think of.... One big suggestion, how about a listserv hosted by Adobe just for ColdFusion Security Alerts...........

I think to be an effective administrator you need to be active seeking out issues

I think that a software company should allow for customers/users to sign up for notifications, preferably with some level of granularity. Then that company should send notifications, with the proper urgency, and in the method(s) that the customer chose. This is pretty basic, no? Furthermore, I think that have applications like this should have the ability to have push notifications enabled in the Admin (ala CF 10 and up) and frankly, it wouldn't be a bad idea to back-port, at the very least, the notification part of the CF 10 auto update to prior versions of CF regardless of support level. It's just good PR if nothing else: the fewer such articles as mentioned in this question, the better it is for said software company.

They have the information, so yes they should. Perhaps not for every single update that's pushed out to CF10 via the auto updater (but why not?); but for serious security holes that have been demonstrated to cause financial damage and also damage Adobe's own reputation, it's negligent and foolhardy for them not to.

//RailoVersion.cfc
component {

    function ucase(s){
        echo("ucase() method was called<br>")
        return s.toUpperCase()
    }

    function viaUnscoped(s){
        return ucase(s)
    }

    function viaScoped(s){
        return variables.ucase(s)
    }

}

<cfscript>
// railoTest.cfm

/*
// will not compile.
function ucase(s){
    writeOutput("ucase() UDF was called<br>");
    return s.toUpperCase()
}
*/

uCase = function(s){
    echo("ucase() function expression was called<br>")
    return s.toUpperCase()
}

o = new RailoVersion()
s = "tahi,rua,toru,wha"

echo("Using method<br>")
echo(o.ucase(s) & "<hr>")

echo("Using unscoped reference within CFC<br>")
echo(o.viaUnscoped(s)& "<hr>")

echo("Using scoped reference within CFC<br>")
echo(o.viaScoped(s)& "<hr>")


echo("Using unscoped ucase() within CFM<br>")
echo(ucase(s)& "<hr>")

echo("Using scoped ucase() within CFM<br>")
echo(variables.ucase(s)& "<hr>")
</cfscript>

• declared via a function statement as a method in a CFC
• declared via a function statement as a function in a CFM
• declared via a function expression as a function in a CFM

• Using a method call on an object: no problem, and the UDF is called. This is not surprising.
• Using an unscoped reference within a CFC calls the BIF, not the UDF. This is what Alex was experiencing with map().
• Using a scoped reference within the CFC calls the UDF. Calling it this way disambiguates between the BIF and the UDF.
• Using an unscoped ucase() within a CFM unsurprisingly results in the BIF being called.
• And finally using a scoped reference to ucase() within a CFM also disambiguates between the two, and the UDF is called.

sort()

numbers = [
    {maori="wha", digit=4},
    {maori="toru", digit=3},
    {maori="rua", digit=2},
    {maori="tahi", digit=1}
]

arraySort(numbers, function(v1,v2){
    return sgn(v1.digit - v2.digit)
})
dump(numbers)
echo("<hr>")

numbers.sort(function(v1,v2){
    return sgn(v2.digit - v1.digit)
})
dump(numbers)

filter()

answers = {
    angela    = "purple",
    bob        = "orange",
    carol    = "green",
    dave    = "purple",
    emma    = "orange",
    frank    = "purple"
}

uniqueAnswers = structFilter(answers, function(key, value, struct){
    return arrayLen(structFindValue(struct, value, "all")) == 1
})
dump(uniqueAnswers)
echo("<hr>")

sharedAnswers = answers.filter(function(key, value, struct){
    return arrayLen(structFindValue(struct, value, "all")) > 1
})
dump(sharedAnswers)

each()

numbers = ["tahi","rua","toru","wha"]

each(["single"],function(value,index,array){
    dump(arguments)
})
echo("<hr>")

arrayEach(numbers, function(v){
    echo (v & "<br>")
})
echo("<hr>")

numbers.each(function(v){
    echo(v.toUpperCase() & "<br>")
})

map()

answers = {
    angela    = "purple",
    bob        = "orange",
    carol    = "green",
    dave    = "purple",
    emma    = "orange",
    frank    = "purple"
}

individualsAnswerUniqueness = map(answers, function(key,value,struct){
    return {colour=value,factor=arrayLen(structFindValue(struct, value, "all"))}
})
dump(individualsAnswerUniqueness)
echo("<hr>")

reduce()

answerTally = answers.reduce(function(previousValue,key,value,struct){
    if (!structKeyExists(previousValue, value)){
        previousValue[value] = {
            tally    = 0,
            people    = []
        }
    }
    previousValue[value].tally++
    arrayAppend(previousValue[value].people, key)
    return previousValue
}, {})
dump(answerTally)

numbers = [1,2,3,4]
sum = numbers.reduce(
    function(prev,current){
        return prev+current;
    },
    0 // this is the starting point
)
dump([numbers,sum])

some()

param name="URL.showTelemetry" default=false; // need a semicolon here for some reason

numbers = ["tahi","rua","toru","wha","rima","ono","whitu","waru","iwa","tekau"]

some = numbers.some(function(v,i,a){
    if (URL.showTelemetry) echo("Checking: #i# #v#<br>")
    return v[1] == URL.letter
})
echo("Does #numbers.toString()# contain any numbers starting with '#URL.letter#'? #some#<hr>")

every()

every = numbers.every(function(v,i,a){
    if (URL.showTelemetry) echo("Checking: #i# #v#<br>")
    return v.length() >= URL.length
})
echo("Are all of #numbers.toString()# at least #URL.length# characters long? #every#<hr>")

What's next?

numbers = ["one","two","three","four"];
numbers.each(function(value,index){
    if (value=="one") {
        numbers.append("five");
    }
    writeOutput("Index: #index#; value: #value#<br>");
});
writeDump(var=numbers);

numbers = ["one","two","three","four"]
numbers.forEach(function(value,index,array){
    if (value=="one") {
        numbers.push("five")
    }
    console.log("Index: "+ (index+1) + "; value: "+ value)
})
console.log(numbers)

numbers = ["one","two","three","four"]
numbers.each_with_index { |value,index|
    if value=="one" then
        numbers.concat ["five"] 
    end

    puts "Index: %d; value: %s" % [index+1,value]
}

numbers = [
    {maori="wha", digit=4},
    {maori="toru", digit=3},
    {maori="rua", digit=2},
    {maori="tahi", digit=1}
]

dump(numbers.sort(function(v1,v2){
    return sgn(v1.digit - v2.digit)
}))

function customRankings(required array options, required string field, boolean throwOnNoMatch=false){
    return function(v1,v2){
        var v1Place = options.findNoCase(v1[field])
        var v2Place = options.findNoCase(v2[field])

        if (v1Place && v2Place){
            return sgn(v1Place - v2Place)
        }
        if (throwOnNoMatch){
            throw(type="IllegalValueException", message="Incorrect value in sort field", detail="Sort field must contain only #options.toString()#")
        }

        if (v1Place){
            return -1
        }

        if (v2Place){
            return 1
        }

        if (isNumeric(v1[field]) && isNumeric(v2[field])) {
            return sgn(v1[field] - v2[field])
        }

        return compareNoCase(v1[field], v2[field])
    }
}

medalSorter = customRankings(["gold","silver","bronze"], "place")

raceResults = [
    {lane=1, name="Angus", place="silver"},
    {lane=2, name="Barbara", place="gold"},
    {lane=3, name="Colin", place="5th"},
    {lane=4, name="Ethel", place="4th"},
    {lane=5, name="Faisal", place="bronze"}
]

dump(raceResults.sort(medalSorter))

1. a function which returns a sort callback based on the rankings provided;
2. creating a sorter for the given rankings;
3. sorting data by the sorter.

function customRankings(required array options, required string field, boolean throwOnNoMatch=false){
    return function(v1,v2){
var v1Place = options.findNoCase(v1[field])
var v2Place = options.findNoCase(v2[field])

if (v1Place && v2Place){
return sgn(v1Place - v2Place)
}
if (throwOnNoMatch){
throw(type="IllegalValueException", message="Incorrect value in sort field", detail="Sort field must contain only #options.toString()#")
}

if (v1Place){
return -1
}

if (v2Place){
return 1
}

if (isNumeric(v1[field]) && isNumeric(v2[field])) {
return sgn(v1[field] - v2[field])
}

return compareNoCase(v1[field], v2[field])
    }
}

1. an array of options to sort on. The order in the array represents highest to lowest (eg: ["gold","silver","bronze"]).
2. A field in each structure to use for sorting. This example only works on an array of structs, obviously.
3. Optionally whether to allow any value in that field, or to throw an error if there's a different value.

• find the values in the array of options
• if they're both found, sort on those two as per the normal sorting rules
• if they're not both found, and if we're flagged to raise an error if this happens, do so
• otherwise if either item contains one of the sort options, it is ranked higher than the other value
• finally - so neither value is one of the options - either treat them numerically if possible, otherwise as strings, and sort on that.

raceResults.sort(medalSorter)

numbers.sort(function(v1,v2){
    return sgn(v2.digit - v1.digit)
})

raceResults.sort(customRankings(["gold","silver","bronze"], "place"))

raceResults = [
    {lane=1, name="Angus", place="silver"},
    {lane=2, name="Barbara", place="gold"},
    {lane=3, name="Colin", place="5th"},
    {lane=4, name="Ethel", place="4th"},
    {lane=5, name="Faisal", place="bronze"}
]
medalSorter = customRankings(["gold","silver","bronze"], "place")
dump(raceResults.sort(medalSorter))

rugbyRankings = [
    {country="Australia", ranking="3rd"},
    {country="England", ranking="4th"},
    {country="New Zealand", ranking="1st"},
    {country="South Africa", ranking="2nd"}
]
ordinalSorter = customRankings(["1st","2nd","3rd","4th"], "ranking")
dump(rugbyRankings.sort(ordinalSorter))

Should we make merge them to one function with a new argument "short:boolean"?

It's bad coding practice to add boolean arguments to a function. I recommend using a mask - as with dateFormat() - instead (as that actually reflects what you want to be doing. A boolean is meaningless)

I disagree. IMO It's a bad idea to use string arguments to a function in an untyped language like CFML. A boolean is very meaningful when there are only two options as long as the argument name is descriptive. Then you know that the value is either true or false, not "milliseconds", "millisec", "millis", "milli", "ms", "m", etc. If you use a strongly typed language where the IDE can type it for you then it's a different story.

Boolean arguments are a code smell. Mr Green is right. "Robert C. Martin's Clean Code Tip #12: Eliminate Boolean Arguments""avoid boolean parameters" and "Code Smell Metrics" also talks about this.

I still disagree. the examples you cited use a strongly typed language where you can use enums and static variables, which is very different from passing a string value to a function as an argument.

This might be a good rule for Java, but not for CFML and its like (ie: The Application).

Read the articles again. It's nothing to do with the type system: boolean flags are a code smell in any language.

Of course that it has to do with type system. In a strongly-typed language the IDE and/or compiler will autocomplete/check the values for you so there is no possibility of you to make a mistake like writing getTickCount('nanoseconds') when the correct value should be getTickCount('nanos'), or maybe it is getTickCount('nano')... who knows?

In a typed language you will pass a value that is checked at edit time so that you don't get weird behavior at runtime with months going by before you even find out that there is a bug somewhere in the code.

I'm sorry Mr Red but you are completely and utterly wrong: this has absolutely nothing to do with types or IDEs and absolutely not "better" than some string. You are totally missing the point here. A Boolean value has absolutely no semantics beyond a binary flag. It doesn't describe anything. That's why it is a code smell. foo(42, true, false) vs foo(42, true, true) vs foo(42, false, false). That's a useless API that tells you nothing about what the calls mean. You have to know the implementation: so Boolean flags are a leaky abstraction.

You are certainly entitled to your strong opinions, Mr Blue, but that does not mean that I am wrong. of course that the words true and false do not have a semantic value. The semantic value is in the argument name.

There is one thing that is much worse than the lack of semantics and that's the passing of strings which are prone to errors and are less efficient in checking.

IMO a function that is declared as:
find(string input, string substring, boolean ignoreCase)
which you would then call as
find("abcde", "Bc", true)
is much better than
find(string input, string substring, string flags)
which will be called as
find("abcde", "Bc", "ignoreCase")
or maybe it was "notCaseSensitive"? or perhaps "caseInsensitive"? or...

That article "avoid boolean parameters" is
from 2004, at that time I was still using Allaires Kawa Editor (I
think) and for this editor that argument maybe was valid, but in Eclipse or
Netbeans a simple mouse over tells me the function arguments, problems
today in Java is not having boolean arguments, problem is having 100
methods in a class that are slightly different and this is exactly what the
article suggest, to more methods! I always try to reduce methods in my
classes.

Maybe it is handy to read existing code when you have 1000 of slightly
different methods, but it is certainly bad for writing code.

That is the point, Mr Red's way is handy to write code, Mr Green's solution is handy
to read code. Mr Red knows that I hate to at new functions to The Application, I'm
afraid of the "PHP Effect", having 1000 of functions doing slightly the same.

Be it from 2004, is there industry consensus that has decided "clean code" is not still something to strive for? Or that the premises offered somehow are now incorrect? (Not a purposely rhetorical question, but I suspect know the answer)?

Considering the function at hand, a boolean argument - whether or not boolean arguments are poor programming or not - is simply painting one's self into a corner anyhow. It's not a case of "short: yes or no": In English - I cannot vouch for other languages - there are at least three accepted shortenings of a day of the week: "d", "dd", "ddd" (with "dddd" being "long-form"). How does one reflect that with a boolean? If we have one or the other, which are we picking?

Mr Purple has speciously posed that a boolean argument is better than multiple functions. This is tenuous, but irrelevant here: no-one's suggesting that. I suggested having a mask which one can use which offers all the required functionality (a boolean doesn't), has an already-set precedent in the language (date/time format), and also doesn't suffer from Mr Red's concern that invalid strings can cause unexpected errors. If the mask is not one of the supported patterns: the code can simply error.

Mr Red does offer a reasonable suggestion that Java offers enumerations to cover optionality rather than strings. CFML doesn't, and there's a healthy precedent there to invalidate that position, but if we were to decide that using enumerations are better than strings... cool... implement that.

But using a boolean is an invalid suggestion here.

I'm sorry, I should have clarified: my comments were about the general statement against boolean arguments, and not specifically to the Format functions.

Formatting functions and their like should take a mask for an argument -- I wasn't suggesting that we add 17 boolean arguments instead of a mask ;)

Have waited too long to say this. I'm an employee of @mozilla and I'm asking @brendaneich to step down as CEO.
— Chloe Varelidi (@varelidi) March 27, 2014

Supported List member functions