ColdFusion MIMEFile Upload Security Issue Workaround

June 30, 2009

If you haven’t heard by now, there is a huge security vulnerability using cffile to upload files. This effects every CF application out there and is being exploited as we speak. There is a ton of information out there about what causes and how to perform the exploit, however noone is doing anything about it at the moment to fix it. Needless to say, I wasn’t going to just sit by and wait for someone to fix it, so naturally, I came up with a pretty slick solution on my own. Below is a link to download a UDF that you should be able to use as a replacement until this whole thing gets sorted out.

Reviving a git-svn clone

June 17, 2009

Thank you Martin Krafft @, you saved my ass and I don’t even know you 🙂

Here’s the problem. I’m mirroring the CFWheels SVN repo (please migrate to github) using git and github. Last week my cygwin installation took a dive and in the midst of trying to fix it, I screwed up my local git repo used to do this mirror (completely my fault and not git’s or cygwin’s. Yes, I’m an idiot).

Anywho, I finally got everything up and running with cygwin, but now came the problem of getting the mirror working again. In the past to accomplish this, I actually did a forced push to the master branch on the mirror. It was OK since noone at the time had forked the mirror so it didn’t hurt anything. But now we have some people who have forked the mirror, so this isn’t an option for me any more. I actually had to figure out how to fix this.

After A LOT of searching and reading here is how I revived my git mirror of the CFWheels SVN repo. It turned out to be 4 simple command in git:

$ mkdir cfwheels
$ cd cfwheels
$ git clone
$ git svn init
$ git update-ref refs/remotes/git-svn refs/remotes/origin/master
$ git svn rebase

Now to explain each line (so I don’t forget):

$ mkdir cfwheels
$ cd cfwheels

Obviously I’m making a directory on my machine called cfwheels and switching to it (basic stuff)

$ git clone

Here I’m cloning the svn mirror repo from github.

$ git svn init

Here I’m creating a reference to the cfwheels repo on googlecode in my local git repo

$ git update-ref refs/remotes/git-svn refs/remotes/origin/master

This is the secret sauce! What I’m doing here is updating the HEAD of the git-svn remote (refs/remotes/git-svn, this is created for you by doing the “git svn init”) to match the HEAD I grabbed from github (refs/remotes/origin/master, again this is created for you by doing the “git clone”).

$ git svn rebase

Now that the two heads match, I’m able to pull the revision information from googlecode. What you’ll see at this point is a mess of lines run on the screen which corresponds to each commit in the svn repo. At the end you should get the following message:

Done rebuilding .git/svn/git-svn/.rev_map.d8ff095c-9719-0410-9cd3-1dd5d13d90f5
Current branch master is up to date.

Git-Svn: Will it ever work again?

June 11, 2009

UPDATE: I have created a custom cygwin repository that you can run setup against to get the last working version (1.5.6-1). You can download it from the widget to the right or by clicking here.

Well it seems that I’ve completed hosed myself good. At work I updated my cygwin install and it installed the latest git and subversion packages. Long story short, this completely broke git-svn to the point where I can’t use it. What sucks is that I use git-svn to contribute to CFWheels which I’m using right now to rewrite some websites. It’s nice to be able to find a bug and fix it then and there and not have to wait until I get home.

Luckily I raced home tonight and saw that my cygwin installation on my home computer wasn’t upgraded, so that means I’m still able to contribute.

What really pissed me off is that this has been broken since version 1.5.6-1 and for over 4 months and hasn’t been fixed yet. I tried to install msysgit at work to see if that would work for me, but it’s a no go since their subversion packages are at 1.4 and GoogleCode is on 1.5.

Even sadder is that msysgit doesn’t seem to want to upgrade their subversion packages anytime soon as the maintainer himself told me here.

With the on going cygwin and msysgit problems, will git-svn ever get fixed?