Download DataFlex Web Application Server

Release date: October 16, 2024

New in this release DataFlex Web Application Server 23.0.64.105

• Fixed Leaking handles in WebApp Server in the process pool logic.
• Fixed a Security issue in the DataFlex WebApp Framework.
• (DF24.0) Fixed a SPLF license check issue causing one WebApp less to be allowed than the license permits.

Changes in DataFlex 2023/23.0

WebApp Framework

• A Security patch was included that fixes potential data leakage in the cWebCombo and cWebParentCombo.
• Note that if you use one of these controls in data-aware mode with pbEnabled, pbVisible, or pbRender at Design Time on False, you might need to send a Refill.

Runtime

• Round function used in expression causes decimal loss.

Documentation

• ClassRef: broken links that refer to old Codejock cCJxxxReportxxx classes instead of cCJxxxGridxxx (the new names).
•  ClassRef: SQLSetParameter shows wrong syntax for parameters.
•  Language Reference: Round and Mod functions changed to show that they return LongPtr.

For a full list of changes visit the online docs.

Updates in this release:

• Set_Attribute DF_FILE_USE_DUMMY_ZERO_DATE caused memory violation.
•  SQL drivers crashed after long error from backend.
• There was a memory overwrite in error handling when the backend returned long error text (> 500) in all SQL drivers.
•  Embedded SQL Setting SQLSTMTATTRIB_CURSOR_TYPE broken in DF20.x.
• This was a 64-bit issue where the cursor would not change type when using Send SQLSetStmtAttribute of hstmt SQLSTMTATTRIB_CURSOR_TYPE SQL_CURSOR_STATIC.
•  WString null terminator issue:
• After Including Windows.pkg a following of Repeat on a WString and AddressOf causes an access violation.
•  Uppercase crashes on invalid strings.
•  Memory violation on large strings in replaces().
•  Pressing Enter in cWebSuggestionForm with cWebList does not trigger OnRowClick.
•  Adding a WebColumnCheckbox to a cWebGrid breaks focus rotation.
•  WebAppServer sometimes get stuck when start / stopping processes.
•  WebServices XmlHandle bug:
• When returning custom xml from a web-service by returning an XmlHandle, it sometimes adds garbage to the response.
•  Scalar variable SQL restructure error.
• Fixed issue where a Find after Fill_Field DF_LOW/DF_HIGH would in some circumstances find wrong record.
•  cWebDynamicObjectContainer forgets the order of child objects (columns).
• GPF in SortArray on non-initialized members in string array
•  Append behavior change between 19.x and 20.x:
• when the first argument of append is an integer instead of a string, it performs a numeric append (addition) instead of a string concatenation.
•  Finds on indexes having NULL not working correct.
• The generated WHERE clause was not correct when there were NULL values in an index segment.
•  ReadLn does not read more than 65535 characters.
• A Security patch was included that fixes potential data leakage in the cWebCombo and cWebParentCombo

For a full list of changes visit the online docs.

DataFlex WebApp Server

The DataFlex WebApp Server needs to be installed on an IIS web server, to run DataFlex web applications as well as web services. The server installer supports a command line interface that describes what components to install, what installation path to use etc.

Licensing

The DataFlex WebApp Server can be licensed as a "per application" counted server, or as a web client license, whereby the license is charged for a number of Named users.

DataFlex WebApp Server

The DataFlex WebApp Server needs to be installed on an IIS web server, to run DataFlex web applications as well as web services. The server installer supports a command line interface that describes what components to install, what installation path to use etc.

Licensing

The DataFlex WebApp Server can be licensed as a "per application" counted server, or as a web client license, whereby the license is charged for a number of Named users.

DataFlex 19.1.58 is an updated release that contains bug fixes for important issues reported by the development community. Most of these issues were new to DataFlex 19.1. The updates are available as complete new installations (including the Studio, Server and Client installations) and are meant to replace the previous release builds (DataFlex 19.1.56). For detailed information about the update see this document.

DataFlex WebApp Server

The DataFlex WebApp Server needs to be installed on an IIS web server, to run DataFlex web applications as well as web services. The server installer supports a command line interface that describes what components to install, what installation path to use etc.

Licensing

The DataFlex WebApp Server can be licensed as a "per application" counted server, or as a web client license, whereby the license is charged for a number of Named users.

DataFlex WebApp Server

The DataFlex WebApp Server needs to be installed on an IIS web server, to run DataFlex web applications as well as web services. 

Licensing

The DataFlex WebApp Server can be licensed as a "per application" counted server, or as a web client license, whereby the license is charged for a number of Named users.

Recently, two issues were brought to our attention that we have addressed with in-line updates to DataFlex 18.x. Other than the information below, there are no changes to these releases. 

1. Windows 10 Creators Update Bug

As part of the Windows 10 Creators Update, Microsoft introduced an operating system bug that halts program execution when using the GetWindowLong function to retrieve information from a window that is not processing its message queue. This bug is not DataFlex specific, it was reported to Microsoft using test programs written in C.

Microsoft has acknowledged this bug and has stated their intention to address it in a future Windows 10 update. To respond to this issue in the shortest possible time for the benefit of our developers, we have created a work around in DataFlex for this operating system bug. We eliminated the use of the GetWindowLong call during initialization as it was a legacy technique to look for other DataFlex instances that is no longer used. This workaround is implemented in the DataFlex Virtual Machine (runtime) component (vdfvm18.dll).

2. Web Services Updates

DataFlex developer Raphael Theiler identified the potential for External XML Entity Injections (XXE) and exponential entity expansions to be exploited in DataFlex Web Services. We confirmed his findings and have addressed both vulnerabilities in an update to our Web Services engine.

During the same time period, we discovered that sending HTTP POST requests without a body to a JSON web service could cause a crash and have hardened Web Application Server against that scenario.
There are three changes in the update to the DataFlex Web Application Server Web Service Endpoint (waswsvc.dll) to address these issues.

• Fix for XXE vulnerability of web services parser
• Fix for exponential entity expansion vulnerability of web services parser
• Fixed a bug where HTTP POST requests without a body to a JSON Web Service would cause a crash

Updates are available now...

The new components have been published for DataFlex 18.2 (original release date of July 2016).

As an alternative, a ZIP file (DataFlex18.2Update.zip) that contains the two changed components that can be applied to existing installations.

Data Access Worldwide Recommends...

For DataFlex 2016/18.2, we recommend uninstalling version 18.2.68.9 and then installing the updated DataFlex 18.2.71.1. If you elect to update your environments with the DataFlex18.2Update.zip file, follow the instructions included in the ZIP.

The updated DataFlex 18.2.71.1 installations also contain the latest SQL Drivers (6.1.0.32) and related documentation. If you apply the virtual machine and web services updates manually with the DataFlex18.2Update.zip file, we recommend updating to the latest SQL drivers at the same time. You can obtain the SQL Driver update at: https://www.dataaccess.eu/resources/downloads/download-category/download-subcategory-842?dagapsg=80

DataFlex WebApp Server

The DataFlex WebApp Server needs to be installed on an IIS web server, to run DataFlex web applications as well as web services. 

Licensing

The DataFlex WebApp Server can be licensed as a "per application" counted server, or as a web client license, whereby the license is charged for a number of Named users.

Recently, two issues were brought to our attention that we have addressed with in-line updates to DataFlex 18.x. Other than the information below, there are no changes to these releases. 

1. Windows 10 Creators Update Bug

As part of the Windows 10 Creators Update, Microsoft introduced an operating system bug that halts program execution when using the GetWindowLong function to retrieve information from a window that is not processing its message queue. This bug is not DataFlex specific, it was reported to Microsoft using test programs written in C.

Microsoft has acknowledged this bug and has stated their intention to address it in a future Windows 10 update. To respond to this issue in the shortest possible time for the benefit of our developers, we have created a work around in DataFlex for this operating system bug. We eliminated the use of the GetWindowLong call during initialization as it was a legacy technique to look for other DataFlex instances that is no longer used. This workaround is implemented in the DataFlex Virtual Machine (runtime) component (vdfvm18.dll).

2. Web Services Updates

DataFlex developer Raphael Theiler identified the potential for External XML Entity Injections (XXE) and exponential entity expansions to be exploited in DataFlex Web Services. We confirmed his findings and have addressed both vulnerabilities in an update to our Web Services engine.

During the same time period, we discovered that sending HTTP POST requests without a body to a JSON web service could cause a crash and have hardened Web Application Server against that scenario.
There are three changes in the update to the DataFlex Web Application Server Web Service Endpoint (waswsvc.dll) to address these issues.

• Fix for XXE vulnerability of web services parser
• Fix for exponential entity expansion vulnerability of web services parser
• Fixed a bug where HTTP POST requests without a body to a JSON Web Service would cause a crash

Updates are available now...

The new components have been published for DataFlex 18.1 (original release date of July 2015) as ZIP file. The ZIP file (DataFlex18.1Update.Zip) contains the two changed components that can be applied to existing installations.

Data Access Worldwide Recommends...

We recommend updating to the latest SQL drivers at the same time. You can obtain the SQL Driver update at: https://www.dataaccess.eu/resources/downloads/download-category/download-subcategory-842?dagapsg=80