URL param: test.cfm?v...%3C/cite%3E%3Cdiv generates a struct

Description

Given the following request:

test.cfm?v...%3C/cite%3E%3Cdiv generates a struct

The URL parameter "v" evaluates to a struct, not a string. The struct looks like this:

and the entire URL structure looks like this:

Environment

Windows 7 x64

Activity

Show:
Pothys - MitrahSoft
November 17, 2017, 10:27 AM

I've analyzed this ticket & confirmed the issue happened on lucee. In Lucee, adds the decode URL string into structure. Looks like above image.In ACF, it throw as empty string

Michael Offner
November 17, 2017, 2:24 PM

it is a long story why this is happening.
I will try to make it as short as possible. It was explained in great detail in the Lucee Forum.
ACF has an interpreter for keys, so you can do things like this in ACF.

This works in ACF even there is no variable "susi.sorglos" or "request.susi".
It works because ACF parses keys at runtime and tries to make a match.
In our opinion this is not only confusing it also is VERY SLOW.
So we decided not to support it.

Not supporting had the consequence that variables passed in query string then get not interpreted in Lucee as they are in ACF.
So we decided to accept the "." in variables passed in the url/form as struct construct what improved a lot of existing code written for ACF, but it also can cause problems like in your case.

We cannot change that behaviour without breaking a lot of existing code and we don't want to be honest.

So what can you do? Proper urlencode stuff you pass in the URL, that will solve the issue.

JP
November 17, 2017, 3:10 PM

I’m reporting this because doing a simple test for if (url.v != “”) generates an exception. Of course I am properly encoding url variables, but this value was likely injected maliciously. I am concerned 1) the assumption that all url values are strings is false, and 2) malicious requests can generate data structures that could cause unintended security issues.

JP
November 17, 2017, 5:41 PM
Edited

Since it's impossible to prevent malicious values appearing in URL or Form variables, why isn't this considered a security threat? Is it feasible for the Lucee engine to ensure that variables defined in publicly accessible scopes (URL, Form, Cookie) are simple values? Isn't this what every developer is expecting?

And wouldn't it be possible to bring a site down to its knees by maliciously crawling it and replacing all URL parameters with something that will generates complex objects? I'm guessing that most pages that use the URL scope will throw exceptions.

JP
December 1, 2017, 9:39 PM
Edited

Can someone please re-evaluate this? My app is generating tons of request errors due to this behavior from what seems to be malicious requests. It seems odd to me that this is a known issue and is intentionally left in place without any protection given to the URL or Form scopes. Each variable in those scopes should ALWAYS be a string, and it should be up to the application to interpret those STRINGS as something else if needed.

If this is left in place, any CF code that executes:

will throw an exception when a param value is formatted this way. To me, this is unacceptable. If you can tell that I'm more than annoyed by this, you are correct!

Won't Do

Assignee

Michael Offner

Reporter

JP

Priority

New

Labels

None

Fix versions

None

Affects versions