Brian

Recent Blog Comments By Brian

• Considering Encrypting Passwords At Rest In ColdFusion

  Posted on Nov 22, 2024 at 4:15 PM

  @Ben Nadel, Gotcha - thank you for the clarification! An informative and interesting read, as usual.... read more »

• Considering Encrypting Passwords At Rest In ColdFusion

  Posted on Nov 22, 2024 at 3:40 PM

  @Ben Nadel, This applies to when the user is supplying the already encrypted value . I thought that's what your code was doing (decrypting something passed in a URL parameter or cookie), but maybe I got that wrong. It's admittedly complex stuff and almost like magic when you see it work.... read more »

• Considering Encrypting Passwords At Rest In ColdFusion

  Posted on Nov 22, 2024 at 3:17 PM

  AES operating in CBC mode is the best algorithm to chose... but you need to be aware of padding oracle attacks when using block ciphers in CBC mode. Padding oracle attacks are a side-channel cryptanalysis attack where an attacker can decrypt and encrypt arbitrary data without knowledge of... read more »

• Inspecting The Form Upload File Field Metadata In ColdFusion

  Posted on Nov 17, 2024 at 4:21 PM

  Thanks for the shoutout! Glad it was helpful!... read more »

• Inspecting The Form Upload File Field Metadata In ColdFusion

  Posted on Nov 16, 2024 at 1:13 PM

  @Ben - There are probably many ways to avoid this, and I have no idea which way is best. The perennial issue of needing to carefully validate user-supplied input! In Lucee you can do something like GetPageContext().formScope().getUploadResource(arguments.formField).getName() to get the f... read more »

• Inspecting The Form Upload File Field Metadata In ColdFusion

  Posted on Nov 15, 2024 at 10:38 PM

  Great article! I'll add that getCanonicalPath() behaves a little differently on Lucee vs. ACF. On ACF, getCanonicalPath() will return an error if you pass in Virtual Filesystem paths, and not fetch the path. But Lucee will accept local filesystem paths or VFS paths, so you need t... read more »