An Architect's View

CFML, Clojure, Software Design, Frameworks and more...

An Architect's View

Fusebox 5 and Sandbox Security

September 23, 2007 · 7 Comments

I just spent some time helping a friend who was trying to get Fusebox 5 (actually Fusebox 5.5) running on a shared host that has sandbox security enabled with createObject(java) disabled. In Fusebox 5.1, we fixed a bug with locale-specific dates and we also speeded up the parsed file writer - both by dropping down into Java. That means that Fusebox 5.1 and Fusebox 5.5 (Public Beta Candidate 0 and earlier) will not run on such shared hosts. However, since the Java class usage is both fairly localized and also intended only to affect performance / accuracy of detecting when to reload in development mode, it seemed reasonable to automatically fallback to non-Java code if the sandbox prevents access to Java code. I just committed build 5.5.0.581 which includes that fix (and one or two others since PBC0 appeared) and my friend has successfully installed Fusebox 5.5 with that build and is up and running.
View count: 4174

Tags: coldfusion · fusebox

7 responses so far ↓

  • 1 Marco Di Folco // Sep 24, 2007 at 3:39 AM

    Does all providers disable the createObject function on shared hosting accounts with sandbox security enabled?

  • 2 Sean Corfield // Sep 24, 2007 at 8:08 AM

    @Marco, no. And it's only createObject(java) we're talking about. Not createObject(component) - which has to remain enabled for any modern framework to run.

    Disabling createObject(java) is intended to improve security by disabling access to the underlying Java engine (file system access, network stuff etc).

  • 3 Matt Ford // Sep 24, 2007 at 10:29 AM

    Thank you for making this change Sean. As a hosting provider we cringe when customers bring code that is dependent on having CreateObject(java) enabled. It simply opens up far too many security holes, basically rendering the sandboxes useless. Knowing that Fusebox 5.5 will support this restriction will make us and our customers happy. (Now only if Adobe could make CFDUMP not require CreateObject(java)...that seemed like a bit of a slip-up on their part!).

  • 4 Martin Gara // Sep 25, 2007 at 6:21 AM

    Build 5.5.0.581 - where can I get it from?

  • 5 Sean Corfield // Sep 25, 2007 at 11:18 AM

    You can always get the very latest version of Fusebox from SVN:

    http://svn.fuseboxframework.org/framework/trunk/

  • 6 Adam Ness // Sep 25, 2007 at 2:40 PM

    @Sean - Much appreciated. I've got a big old FB3 app that I'd like to move to FB5, but the createObject("java", ... ) problem was causing me some heartache as well.

    @Matt - In my experiments, it looks like the sandboxes created by ColdFusion are actually Java Sandboxes, so if what you're trying to prevent is file and network access, the CF Sandbox will impose the same restrictions on Java classes as it would on it's own processes.

    The only way out of the CF/Java Sandbox would be to use another technology, such as COM, .NET or CORBA objects.

  • 7 Martin Gara // Sep 26, 2007 at 3:52 AM

    Cheers

Leave a Comment

Leave this field empty: