Affects Version/s: 220.127.116.11
Fix Version/s: 18.104.22.168
Confirmed on instances running on Ubuntu Server and macOS
Sprint:August 2017 Sprint
Ensure scriptProtect is ON in Lucee Administrator. (This is the default.)
(Note the trailing period. Index.cfm doesn't need to exist as the bug is triggered within Application.cfc.)
This bug only seems to manifest if scriptProtect is on in server settings then turned off in the application. Or if it is off in settings then turned on in the application. This behavior appears to correspond with the relevant line of code (URLImpl.java#L116) which runs if the scope's script protection mode is changed.
I can't quite tell exactly where the underlying bug is, but I suspect it will be clear to someone familiar with this code.
Looking at the adjacent lines, ScopeSupport.java#L179 which calls listToStringListRemoveEmpty(name,'.') seems more than a coincidence. Is this a mechanism to ignore periods in variable names? This line is effectively unchanged since the first commit of Railo.
On a side note I noticed a variable spelling error which I don't think is causing this particular problem but probably could be resolved. The misspelling is "scriptProteced" which should be "scriptProtected". Occurs in two source files, a simple text string search will find them.