Russ Michaels has created CF Live, an online tool that lets you enter CFML code for execution on ColdFusion or Railo. If you want to tinker with CFML (albeit with some language restrictions for security’s sake), then give it a try.
Oh, CF Live tests against ColdFusion 9 Enterprise on Windows 2008, as you can see by using it to run the following:
Personally, I hope he turns off the massive amounts of data he gives out for exceptions. That seems like a bigger security issue.
Kevin,
How would you debug without the debug output?
what risk is there to see the exception for your own code?
Lawless:
Yeah, I am less concerned about someone’s code. I would be more concerned with server security. While some items are sandboxed, you can still see template path information. This is a bit different use case, but you typically want to keep debugging off outside an internal network.
Kevin
The debug output and info is only for the code you enter and run in the textarea not for the site itself, the site itself runs on a completely different instance and does not show debugging info. The service is not intended for you to host live production code, it is for development and testing, thus why the debug is enabled, so users can debug code and see errors.
As you are unable to read/write/save files to the server or use Java (see the about page), I would be interested to know exactly what threat/risk you believe seeing the path info provides, especially seeing as that info is freely available using several functions anyway, please can you provide details ?
Leave a Reply