Add Configuration to Control Direct Bytecode Execution in Lucee

Description

To enhance configuration flexibility, we are adding a setting that controls whether Lucee is permitted to execute precompiled bytecode files (.cfm) directly. By default, Lucee will allow direct execution of bytecode; however, this new setting provides administrators with the option to disable this feature if preferred.

Implementation Details

A new system property and environment variable, lucee.compiler.block.bytecode (or LUCEE_COMPILER_BLOCK_BYTECODE for environment variables), will allow direct bytecode execution to be toggled on or off.

Example Configuration:

To block direct bytecode execution, set:
- System property: -Dlucee.compiler.block.bytecode=true
- Environment variable: LUCEE_COMPILER_BLOCK_BYTECODE=true

Error Handling: If the setting is enabled and direct bytecode execution is attempted, Lucee will throw a TemplateException with a message that includes guidance on how to adjust the configuration. The exception will read:

"Bytecode execution is disabled by environment configuration. Lucee is configured to prevent the execution of precompiled bytecode files (.cfm) directly. To enable bytecode execution, set the system property -Dlucee.compiler.block.bytecode=false or the environment variable LUCEE_COMPILER_BLOCK_BYTECODE=false."

Motivation

This update supports environments where control over bytecode execution is a priority, offering administrators enhanced configurability to tailor execution behavior as needed.

Linked issues

relates to

LDEV-5485

enable LUCEE_COMPILER_BLOCK_BYTECODE by default in lucee 7

LDEV-1664

update cf module in folder caused error: class redefinition failed: attempted to change the class modifiers

Activity

Show:

Michael Offner 7 April 2025 at 19:57

Lucee 5.4 https://github.com/lucee/Lucee/commit/ddb6fcf82f8ffa081c9df3af617180631a4b1995

Pothys - MitrahSoft 8 November 2024 at 11:52

I have investigated this ticket using Lucee version 6.2.0.155-SNAPSHOT. When I try to execute the precompiled bytecode (.cfm) file after setting -Dlucee.compiler.block.bytecode=true and LUCEE_COMPILER_BLOCK_BYTECODE=true in the environment variables, it shows an exception message. However, it works fine as expected.

Michael Offner 6 November 2024 at 11:02

documentation for the new setting
https://github.com/lucee/lucee-docs/commit/1f68d2f67e72e63e97c7ba6898e0c442fc4e0215

Michael Offner 6 November 2024 at 10:56

Lucee 6.1 https://github.com/lucee/Lucee/commit/13a3b3304f9ce5fa082363ebb8e0363de2911b48

Lucee 6.2 https://github.com/lucee/Lucee/commit/fdff6b6a534efdd57ce74902c4d1bafd183a2770

Lucee 6.0 https://github.com/lucee/Lucee/commit/d970ec0c9b8d4712c8169cd02f1e555e09f6cff3

Fixed

Details
Assignee
Pothys - MitrahSoft
Reporter
Michael Offner
Labels
bytecode
New Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Sprint
None
Fix versions
6.0.4.15
6.1.1.114
6.2.0.154
Priority
New

Created 6 November 2024 at 10:51

Updated last week

Resolved 8 November 2024 at 11:52