Download DataFlex Studio

Changes in DataFlex 2021/20.0

Unicode and 64-bit

Web Framework

• Dynamic Web Objects
• cWebTagsForm
• cWebGeoLocation
• Security

More

• Connectivity
• WebApp Server
• Studio Dark Theme

Go to the What’s new in DataFlex page, and scroll down to DataFlex 2021/20.0, for a complete overview.

Changes in DataFlex 2019/19.1

Web

• HTTP Request Handler
• Meaningful URL’s and History Management
• Expandable Lists
• Horizontal Scrolling
• Material Design Theme
• Basic Web Applications
• Connectivity

Windows

• Enhanced DPI Awareness
• Improved and Configurable Form Heights

More

• Installer
• Embedded Manifest Files
• Code Cleanup
• DataFlex Reports Examples

Go to the What’s New in DataFlex page, and scroll down to DataFlex 2019/19.0, for a complete overview.

Security Patch: Cross-Session Contamination

The Issue

Under certain circumstances web property values from one session could leak into another session. This bug does not affect the usability of applications and regular users would not see these values. Hackers can potentially exploit the behavior making it a security risk that needs to be addressed. This issue affects DataFlex 19.0 and higher.

The Fix

To fix this issue we have created updated versions of several source packages of the web framework. For all affected revisions, these files will be made available in a zip file so that developers can manually update their installations. Updated installers will be made available for the DataFlex revisions that are still supported. Note that it is recommended to use the updated installer whenever possible.

DataFlex 2022 – 20.1

Fixed packages are available in the zip file. These have been tested on the latest release build of 20.1.31.70.

A new installer (20.1.33.77) is available which also contains several other stability improvements. We strongly encourage all developers to use the latest installer.

DataFlex 2021 – 20.0

Fixed packages are available in the zip file. These have been tested on build 20.0.7.156.

A new installer (20.0.7.159) is available.

DataFlex 2019 – 19.1

Fixed packages are available in the zip file. These have been tested on build 19.1.58.159.

A new installer (19.1.58.167) is available.

DataFlex 2017 – 19.0

Fixed packages are available in the zip file. These have been tested on build 19.0.33.4 with WebApp Framework build 19.0.8.55 (in 19.0 this had its own build number).

No new installer will be made available.

Applying the Fix Using the Installer

• Uninstall DataFlex Studio
• Install the updated DataFlex Studio
• Recompile your web applications
• Deploy the updated web applications
  • It is recommended to also update the Web Application Server (although not mandatory for 20.0 and 19.1)

Applying the Fix Manually

• Unzip the zip file
• Copy the files for your revision to the Pkg folder of your DataFlex installation
  • Note that cWebApp.pkg contains a version number that needs to match your JavaScript Engine. The supplied package contains the build numbers mentioned above.
• Recompile your system packages
  • Run the studio
    • Note that depending on your installation location you might need to run the studio as administrator
  • Open a workspace
  • Project > Precompile > Precompile system packages
• Recompile your web applications
• Deploy the updated web applications

Note that the packages will only work with the stated base revisions, which are the latest released builds for each revision. If you are currently using a build earlier than the stated base revision and attempt to apply the fix manually, you will see the following:

• When you open a workspace in the Studio, the JavaScript Engine Version Mismatch error will be displayed
• The system packages will not recompile without errors

To address these issues, you must update. Therefore, we recommend that developers use the newly published installers to apply the fix.

Critical Information

You must have a modern browser (Microsoft Internet Explorer 11, Edge, Chrome, FireFox, etc.) and the Microsoft Internet Information Services (IIS) installed on your machine to enable all the capabilities of DataFlex 2017.

This is an updated release of DataFlex 2017 - 19.0. The original release was revision 19.0.30.8 (released in August 2017).

If you already have an earlier release of DataFlex 2017 - 19.0 installed you must uninstall build 19.0.30.8 and then install build 19.0.33.4. 

Recently, two issues were brought to our attention that we have addressed with in-line updates to DataFlex 18.x. Other than the information below, there are no changes to these releases.

1. Windows 10 Creators Update Bug

As part of the Windows 10 Creators Update, Microsoft introduced an operating system bug that halts program execution when using the GetWindowLong function to retrieve information from a window that is not processing its message queue. This bug is not DataFlex specific, it was reported to Microsoft using test programs written in C.

Microsoft has acknowledged this bug and has stated their intention to address it in a future Windows 10 update. To respond to this issue in the shortest possible time for the benefit of our developers, we have created a work around in DataFlex for this operating system bug. We eliminated the use of the GetWindowLong call during initialization as it was a legacy technique to look for other DataFlex instances that is no longer used. This workaround is implemented in the DataFlex Virtual Machine (runtime) component (vdfvm18.dll).

2. Web Services Updates

DataFlex developer Raphael Theiler identified the potential for External XML Entity Injections (XXE) and exponential entity expansions to be exploited in DataFlex Web Services. We confirmed his findings and have addressed both vulnerabilities in an update to our Web Services engine.

During the same time period, we discovered that sending HTTP POST requests without a body to a JSON web service could cause a crash and have hardened Web Application Server against that scenario. There are three changes in the update to the DataFlex Web Application Server Web Service Endpoint (waswsvc.dll) to address these issues.

• Fix for XXE vulnerability of web services parser
• Fix for exponential entity expansion vulnerability of web services parser
• Fixed a bug where HTTP POST requests without a body to a JSON Web Service would cause a crash

Updates are available now...

The new components have been published for DataFlex 18.2 (original release date of July 2016).

As an alternative, a ZIP file (DataFlex18.2Update.zip) that contains the two changed components that can be applied to existing installations.

Critical Information - This build includes Security Updates for Web Services, a workaround for Microsoft GetWindowLong Bug in the Windows 10 Creators Update and the 6.1.0.32 SQL Drivers• Fix for XXE vulnerability of web services parser.

• Fix for exponential entity expansion vulnerability of web services parser.

• Fixed a bug where HTTP POST requests without a body to a JSON Web Service would cause a crash.

• Workaround for Microsoft bug in Windows 10 Creators Update that causes the progrem to hand when using the GetWindowLong call on a window that is not processing its message queue.

• Includes the 6.1.0.32 SQL Drivers with the following fixes:

• Setting the value of a SQL_TIME column, could cause memory overwrite. This was side effect of earlier fix in 6.1.0.30 A masked time value of 00:00:00 would be passed as " : : ", causing a “Time contains an invalid value” error. This will now be handled as time value 00:00:00

  • Setting the DD value of a text column, for example could cause memory error if the value was the same as the value already in the column and an ansi/oem conversion was done.
  • Moving data to a df_ascii/sql_varchar column, where the data was larger than the field length, could cause a memory error.
  • Oracle columns created as type INTEGER returned an incorrect length.
  • On a standard table with an identity column (df_file_identity = true), when inserting or deleting a column BEFORE the identity column, the identity would not be adjusted. This caused identity insert error during restructure.

You must have Microsoft Internet Explorer 8 (or higher) and the Microsoft Internet Information Services (IIS) installed on your machine to enable all the capabilities of DataFlex 2016.

Important Information for Existing DataFlex Users:

1. DataFlex 2016 - 18.2 uses different DLL component naming and/or a completely separate registry branch from DataFlex 18.1 (and earlier). You may install and use DataFlex 2016 - 18.2 on the same machine as DataFlex 18.1 (and earlier) without interference.

2. The WebApp Server components of DataFlex 2016 - 18.2 can coexist with previous revisions of the WebApp Server on the same machine without interference.

3. Some of the changes that you have made in your DataFlex 18.1 development environment (registry settings that control utilities, editor customizations, etc.) will be automatically detected or used by DataFlex 2016 - 18.2. For those that are not imported, you will need to duplicate those changes manually. There are utilities that can assist you in migrating existing workspaces.

Recently, two issues were brought to our attention that we have addressed with in-line updates to DataFlex 18.x. Other than the information below, there are no changes to these releases. 

1. Windows 10 Creators Update Bug

As part of the Windows 10 Creators Update, Microsoft introduced an operating system bug that halts program execution when using the GetWindowLong function to retrieve information from a window that is not processing its message queue. This bug is not DataFlex specific, it was reported to Microsoft using test programs written in C.

Microsoft has acknowledged this bug and has stated their intention to address it in a future Windows 10 update. To respond to this issue in the shortest possible time for the benefit of our developers, we have created a work around in DataFlex for this operating system bug. We eliminated the use of the GetWindowLong call during initialization as it was a legacy technique to look for other DataFlex instances that is no longer used. This workaround is implemented in the DataFlex Virtual Machine (runtime) component (vdfvm18.dll).

2. Web Services Updates

DataFlex developer Raphael Theiler identified the potential for External XML Entity Injections (XXE) and exponential entity expansions to be exploited in DataFlex Web Services. We confirmed his findings and have addressed both vulnerabilities in an update to our Web Services engine.

During the same time period, we discovered that sending HTTP POST requests without a body to a JSON web service could cause a crash and have hardened Web Application Server against that scenario.
There are three changes in the update to the DataFlex Web Application Server Web Service Endpoint (waswsvc.dll) to address these issues.

• Fix for XXE vulnerability of web services parser
• Fix for exponential entity expansion vulnerability of web services parser
• Fixed a bug where HTTP POST requests without a body to a JSON Web Service would cause a crash

Updates are available now...

The new components have been published for DataFlex 18.1 (original release date of July 2015) as ZIP file. The ZIP file (DataFlex18.1Update.Zip) contains the two changed components that can be applied to existing installations.

Data Access Worldwide Recommends...

We recommend updating to the latest SQL drivers at the same time. You can obtain the SQL Driver update at: https://www.dataaccess.eu/resources/downloads/download-category/download-subcategory-842?dagapsg=80

Critical Information

You must have Microsoft Internet Explorer 8 (or higher) and the Microsoft Internet Information Services (IIS) installed on your machine to enable all the capabilities of DataFlex 2015.

Important Information for Existing DataFlex Users:

1. DataFlex 2015 - 18.1 uses different DLL component naming and/or a completely separate registry branch from DataFlex 18.0 (and earlier). You may install and use DataFlex 2015 - 18.1 on the same machine as DataFlex 18.0 (and earlier) without interference.

2. The WebApp Server components of DataFlex 2015 - 18.1 can coexist with previous revisions of the WebApp Server on the same machine without interference.

3. Some of the changes that you have made in your DataFlex 18.0 development environment (registry settings that control utilities, editor customizations, etc.) will be automatically detected or used by DataFlex 2015 - 18.1. For those that are not imported, you will need to duplicate those changes manually. There are utilities that can assist you in migrating existing workspaces.

Recently, two issues were brought to our attention that we have addressed with in-line updates to DataFlex 18.x. Other than the information below, there are no changes to these releases. 

1. Windows 10 Creators Update Bug

As part of the Windows 10 Creators Update, Microsoft introduced an operating system bug that halts program execution when using the GetWindowLong function to retrieve information from a window that is not processing its message queue. This bug is not DataFlex specific, it was reported to Microsoft using test programs written in C.

Microsoft has acknowledged this bug and has stated their intention to address it in a future Windows 10 update. To respond to this issue in the shortest possible time for the benefit of our developers, we have created a work around in DataFlex for this operating system bug. We eliminated the use of the GetWindowLong call during initialization as it was a legacy technique to look for other DataFlex instances that is no longer used. This workaround is implemented in the DataFlex Virtual Machine (runtime) component (vdfvm18.dll).

2. Web Services Updates

DataFlex developer Raphael Theiler identified the potential for External XML Entity Injections (XXE) and exponential entity expansions to be exploited in DataFlex Web Services. We confirmed his findings and have addressed both vulnerabilities in an update to our Web Services engine.

During the same time period, we discovered that sending HTTP POST requests without a body to a JSON web service could cause a crash and have hardened Web Application Server against that scenario.
There are three changes in the update to the DataFlex Web Application Server Web Service Endpoint (waswsvc.dll) to address these issues.

• Fix for XXE vulnerability of web services parser
• Fix for exponential entity expansion vulnerability of web services parser
• Fixed a bug where HTTP POST requests without a body to a JSON Web Service would cause a crash

Updates are available now...

The new components have been published for DataFlex 18.0 (original release date of August 2014) as ZIP file. The ZIP file (DataFlex18.0Update.Zip) contains the two changed components that can be applied to existing installations.

Data Access Worldwide Recommends...

We recommend updating to the latest SQL drivers at the same time. You can obtain the SQL Driver update at: https://www.dataaccess.eu/resources/downloads/download-category/download-subcategory-842?dagapsg=80