ACF 2021 Update 13 Breaking Change With Scope Order

This is a heads up for anyone else that encounters a scope change issue when firing up an ACF 2021 or ACF 2023 server within Commandbox and notice that their scope order is messed up.

Adobe introduced a breaking change in 2021 update 13 which defaults an application scope variable searchimplicitscopes to false which means any unscoped variables won’t have the usual scopes searched (url, form, etc…) when looking for the value.
Reference:
https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-13.html

Take the following code snippet:

<cfscript>
form.action = "submit";
param name="action" default="look";

writeDump( action );
</cfscript>

You would expect the output to be “submit”.

However, if you fire this up using ACF 2021 update 13 (or later), the output will be “look”.

Here’s how you fix the issue:
In your application.cfc file you need to add:
this.searchimplicitscopes = true

This will make ACF behave like it used to.

Ah - I learned this thanks to Foundeo’s excellent Fixinator.

Thanks for the post, and being cool enough to answer yourself. :slight_smile:

1 Like

And while that app-level change is one way to workaround the change, there’s also a new JVM-level argument that was also added with that update (13 for CF2021, 7 for CF2023), as discussed by Adobe in the technote for those two updates.

And FWIW, I did a blog post with a lot more on this–the day it came out, as I was warning of the breaking change. I also offer some more background and point to other resources (by Pete and others), about why this implicit scope searching that CF’s done forever is a vulnerability.

As such, we should note that those two “solutions” are really workarounds–trading compatibility for security. Adobe opted with this update to trade compatibility for security. More in my post also.

Oh, and Adobe has said (in their technote, and I reiterate in my post) that the JVM arg is NOT expected to be carried into CF2025 and beyond. So really, it’s time to find and fix such code that was relying on implicit scope searching.

That does NOT mean that you “have to scope all your variables” now. It’s only unscoped variables where they’d not be resolved in the scopes that are local to that request. The “implicit search” that’s now blocked by default is indeed looking at things like form, url, cgi, and more.

See my post for more (including how this matter presents/is addressed in Lucee as well):

Yep, 100%. For folks who just need to get up and running, I could see enabling that/those compatibility flags. But the long term approach here is to go through and correct the scope usage throughout the application.