URL variables can be automatically parsed into a struct

Description

I believe this is identical to this issue: https://luceeserver.atlassian.net/browse/LDEV-1590, which has been closed, but I think something needs to be done about this for URL and Form scopes to prevent DOS attacks that would be initiated by generating a ton of errors.

When the following URL is interpreted by Lucee, the URL scope includes a struct as follows:

My feeling is that under no circumstances should any parameter in the URL or Form scopes be interpreted as anything other than a simple value. Otherwise it seems that it would be trivial to initiate a DOS on any Lucee site that uses variables in the URL scope (or the Form scope) because you could hit the site with expected URLs in the form of a struct, which might cause so many errors that the site could become unstable or stop responding.

I realize that you could obfuscate URL params or prevent Lucee from ever seeing this patter by using url rewrites, but that is not technically feasible for many apps, especially legacy apps.

I also don't think it's feasible to put the onus on the developer to validate a URL or Form scope after Lucee parses it.

Am I overthinking this, or would you agree that this could be a vector for DOS attacks on Lucee sites?

Environment

Windows

Activity

Show:
Michael Offner
May 1, 2020, 7:21 PM

we could add a setting to disable this in the admin.

Mihail Antibor
October 27, 2020, 9:47 AM
Edited

is there a way to get rid of this additional structure from the FORM. ?

Guardian
October 28, 2020, 9:27 AM
Edited

That is not only security problem, also incompatibility witch ACF problem.
Because I have many cases when I loop trough FORM keys

I think, we should have similar option to ”sameFormFieldsAsArray” in Application.
like “sameFormFieldsAsStruct“.
And by default it should be “true“ to safe current Lucee compatibility.
But for thouse who migrate from ACF it should be “false”

Guardian
October 28, 2020, 9:35 AM

And I think, priority should be increased,
because it makes migrating from ACF near impossible.

Zac Spitzer
October 28, 2020, 10:05 AM

see

Assignee

Michael Offner

Reporter

JP

Priority

Minor

Labels

Fix versions

None

Affects versions

Configure