Security Patch: Cross-Session Contamination
The Issue
Under certain circumstances web property values from one session could leak into another session. This bug does not affect the usability of applications and regular users would not see these values. Hackers can potentially exploit the behavior making it a security risk that needs to be addressed. This issue affects DataFlex 19.0 and higher.
The Fix
To fix this issue we have created updated versions of several source packages of the web framework. For all affected revisions, these files will be made available in a zip file so that developers can manually update their installations. Updated installers will be made available for the DataFlex revisions that are still supported. Note that it is recommended to use the updated installer whenever possible.
DataFlex 2022 20.1
Fixed packages are available in the zip file. These have been tested on the latest release build of 20.1.31.70.
A new installer (20.1.33.77) is available which also contains several other stability improvements. We strongly encourage all developers to use the latest installer.
DataFlex 2021 20.0
Fixed packages are available in the zip file. These have been tested on build 20.0.7.156.
A new installer (20.0.7.159) is available.
DataFlex 2019 19.1
Fixed packages are available in the zip file. These have been tested on build 19.1.58.159.
A new installer (19.1.58.167) is available.
DataFlex 2017 19.0
Fixed packages are available in the zip file. These have been tested on build 19.0.33.4 with WebApp Framework build 19.0.8.55 (in 19.0 this had its own build number).
No new installer will be made available.
Applying the Fix Using the Installer
- Uninstall DataFlex Studio
- Install the updated DataFlex Studio
- Recompile your web applications
- Deploy the updated web applications
- It is recommended to also update the Web Application Server (although not mandatory for 20.0 and 19.1)
Applying the Fix Manually
- Unzip the zip file
- Copy the files for your revision to the Pkg folder of your DataFlex installation
- Note that cWebApp.pkg contains a version number that needs to match your JavaScript Engine. The supplied package contains the build numbers mentioned above.
- Recompile your system packages
- Run the studio
- Note that depending on your installation location you might need to run the studio as administrator
- Open a workspace
- Project > Precompile > Precompile system packages
- Recompile your web applications
- Deploy the updated web applications
Note that the packages will only work with the stated base revisions, which are the latest released builds for each revision. If you are currently using a build earlier than the stated base revision and attempt to apply the fix manually, you will see the following:
- When you open a workspace in the Studio, the JavaScript Engine Version Mismatch error will be displayed
- The system packages will not recompile without errors
To address these issues, you must update. Therefore, we recommend that developers use the newly published installers to apply the fix.