This document has been put together to discuss the potentially breaking changes Adobe ColdFusion is making in the most recent ColdFusion updates.

By default, if ColdFusion finds a variable name without a prefix, it used to check the variable in different scopes in a specific order.

Starting with this update, ColdFusion will default to searchimplicitscopes=FALSE and if a variable name is not prefixed with a scope identifier, an error is returned.

What are the scopes that are impacted by the change?

The code below will fail with the exception, Variable TEST is undefined.

Option 1 (Recommended):

Correct your code to fetch variables from the correct scope:

Option 2:

Add JVM flag -Dcoldfusion.searchimplicitscopes=true to the Java arguments

Option 3:
You can update the application.cfm/cfc file and set the searchimplicitscopes key to TRUE

This will override the jvm flag set at the server level.

Option 1 (Recommended):

Correct your code to fetch variables from the correct scope:

Option 2:
You can update the application.cfm/cfc file and set the searchimplicitscopes key to TRUE

This will override the jvm flag set at the server level

Add:

To your application.cfc or application.cfm.

The JVM flag "-Dcoldfusion.searchimplicitscopes=true" will be disabled in future versions of ColdFusion. You must work to update your code.

Only option 1 is a permanent solution.

By default, ColdFusion will now block all protocols, except HTTP and HTTPS when using <iframe src=" "> in the body of cfdocument.

Customers with their own VPS can have the JVM arguments altered to allow other protocols such as FTP.
For example, -Dcoldfusion.iframe.allowedprotocols=ftp would allow the iframe to connect to the FTP protocol

Shared users can only use HTTP and HTTPS with iframe.

Contact our support team, we would be happy to help address any queries