We are pleased to announce that we have released the updates for the following ColdFusion versions:
The following are links to the tech notes for each update:
The releases address security vulnerabilities, which are documented in the bulletin APSB19-14.
In these updates, we have also introduced the following:
- A new application setting blockedExtForFileUpload to specify a comma-separated list of file extensions for file that must be blocked for uploading.
- In the ColdFusion Administrator, in Server Settings > Settings, there are is an option Blocked file extensions for CFFile uploads. Specify a comma-separated list of file extensions, which will be blocked from being uploaded by the cffile tag/functions.
- The Admin API, setRuntimeProperty has a new property, BlockedExtForFileUpload. The values are a comma-separated list of file extensions to restrict file uploading of the appropriate files.
For more information, see the tech notes and the tag/function documentation.