I believe this is identical to this issue: https://luceeserver.atlassian.net/browse/LDEV-1590, which has been closed, but I think something needs to be done about this for URL and Form scopes to prevent DOS attacks that would be initiated by generating a ton of errors.
When the following URL is interpreted by Lucee, the URL scope includes a struct as follows:
My feeling is that under no circumstances should any parameter in the URL or Form scopes be interpreted as anything other than a simple value. Otherwise it seems that it would be trivial to initiate a DOS on any Lucee site that uses variables in the URL scope (or the Form scope) because you could hit the site with expected URLs in the form of a struct, which might cause so many errors that the site could become unstable or stop responding.
I realize that you could obfuscate URL params or prevent Lucee from ever seeing this patter by using url rewrites, but that is not technically feasible for many apps, especially legacy apps.
I also don't think it's feasible to put the onus on the developer to validate a URL or Form scope after Lucee parses it.
Am I overthinking this, or would you agree that this could be a vector for DOS attacks on Lucee sites?
we could add a setting to disable this in the admin.
is there a way to get rid of this additional structure from the FORM. ?
That is not only security problem, also incompatibility witch ACF problem.
Because I have many cases when I loop trough FORM keys
I think, we should have similar option to ”sameFormFieldsAsArray” in Application.
And by default it should be “true“ to safe current Lucee compatibility.
But for thouse who migrate from ACF it should be “false”
And I think, priority should be increased,
because it makes migrating from ACF near impossible.