Technical article
11 Sep 2023
Dom Watson

Bug fix release: 10.24.16 with patches to 10.18

Today we made a hotfix release with a number of important patches. The following article describes them in more detail.

All of the following fixes/changes are available in the latest hotfixes from 10.18 onwards.

PRESIDECMS-2702 Autogen filters: enum property text matches fails in some way when used in conjunction with other filters

Michael Hnat raised an issue with the enum property text matches filter that, in his case, led to an over-generous filter match that led to many emails being sent to the wrong recipients. This patch fixes this issue with no further action required on your behalf. You may be silently suffering from this bug, so please do upgrade as soon as possible.

PRESIDECMS-2701 No ability to set query timeouts

Amazingly, Preside has survived without the ability to set any query timeouts to date. Historically, this was a choice due to Lucee's handling of timeouts and their advise that "most db drivers do not natively support them". However, recent testing showed us that the latest MySQL and MariaDB drivers handle timeouts perfectly and being able to use these in our applications is a really important stability boon.

By default, upgrading to this version of Preside will NOT set any timeouts. You may optionally change the timeouts with the following environment variables, or settings in your Config.cfc:

# env variables
QUERY_TIMEOUT=10
BACKGROUND_QUERY_TIMEOUT=30

# Config.cfc
settings.queryTimeout.default = 10;
settings.queryTimeout.backgroundThreadDefault = 30;

We have made two separate settings to allow for longer/different settings for background threads should you have particularly slow tasks that don't block user requests.

In addition, you can now pass a timeout argument to selectData(), updateData(), etc.

PRESIDECMS-2700 CSRF Tokens: allow option to only use when session exists

We have added the ability to turn OFF CSRF protection for unauthenticated requests. By default, CSRF protection will remain unchanged and be present so long as you tell it to. However,  you may wish to turn off protection on unauthenticated requests to help with performance, particularly caching of anonymous requests. Read this excellent article on the trade offs here: https://www.section.io/blog/csrf-and-caching/.

This can be configured with:

# env variables
CSRF_AUTHENTICATED_ONLY=true

# Config.cfc
settings.csrf.authenticatedSessionsOnly = true;

 

Return to listing