Uploaded image for project: 'Lucee Development'
  1. LDEV-1177

ScriptProtect off + stray dot in URL parameters = NullPointerException (simple test case provided)

    Details

    • Type: Bug
    • Status: Deployed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.1.0.34
    • Fix Version/s: 5.2.4.21
    • Labels:
      None
    • Environment:

      Confirmed on instances running on Ubuntu Server and macOS

    • Sprint:
      August 2017 Sprint

      Description

      Test case:

      Ensure scriptProtect is ON in Lucee Administrator. (This is the default.)

      Application.cfc

      <cfcomponent>
      	<cfset this.scriptProtect="none">
      </cfcomponent>
      

      http://server.name/test-case/index.cfm?.
      (Note the trailing period. Index.cfm doesn't need to exist as the bug is triggered within Application.cfc.)

      Exception:

      lucee.runtime.exp.NativeException: java.lang.NullPointerException
      	at lucee.commons.lang.StringList$Entry.access$200(StringList.java:125)
      	at lucee.commons.lang.StringList.next(StringList.java:80)
      	at lucee.runtime.type.scope.ScopeSupport.fillDecoded(ScopeSupport.java:184)
      	at lucee.runtime.type.scope.ScopeSupport.fillDecodedEL(ScopeSupport.java:151)
      	at lucee.runtime.type.scope.URLImpl.setScriptProtecting(URLImpl.java:116)
      	at lucee.runtime.PageContextImpl.setApplicationContext(PageContextImpl.java:2875)
      	at lucee.runtime.listener.ModernAppListener.initApplicationContext(ModernAppListener.java:442)
      	at lucee.runtime.listener.ModernAppListener._onRequest(ModernAppListener.java:116)
      	at lucee.runtime.listener.MixedAppListener.onRequest(MixedAppListener.java:43)
      	at lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2293)
      	at lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2284)
      	at lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2252)
      	at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:891)
      	at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:102)
      	at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:62)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
      	at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
      	at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
      	at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
      	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:676)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:745)
      

      Observations

      This bug only seems to manifest if scriptProtect is on in server settings then turned off in the application. Or if it is off in settings then turned on in the application. This behavior appears to correspond with the relevant line of code (URLImpl.java#L116) which runs if the scope's script protection mode is changed.

      I can't quite tell exactly where the underlying bug is, but I suspect it will be clear to someone familiar with this code.

      Looking at the adjacent lines, ScopeSupport.java#L179 which calls listToStringListRemoveEmpty(name,'.') seems more than a coincidence. Is this a mechanism to ignore periods in variable names? This line is effectively unchanged since the first commit of Railo.

      On a side note I noticed a variable spelling error which I don't think is causing this particular problem but probably could be resolved. The misspelling is "scriptProteced" which should be "scriptProtected". Occurs in two source files, a simple text string search will find them.

      Thanks

        Attachments

          Activity

            People

            • Assignee:
              21solutions Igal Sapir
              Reporter:
              simondotau Simon Wright
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: