All work

3 of 3

Square brackets in query string keys will put values in array

Description

Open any (cfm) template with the following query string:

?q[]=1&q[]=2

or in case the webserver requires brackets to be encoded:

?q%5B%5D=1&q%5B%5D=2

ACF URL Scope (serialized for demo purpose)

{ "q[]": "1,2" }

✔️ brackets in key are kept, values with the same key are preserved as comma separated list

Lucee URL Scope (serialized for demo purpose)

{ "q": [ "1", "2" ] }

❌ brackets in key have been removed, values with the same key are preserved as array

I assume this stems from PHP, where it is common practise to transform trailing brackets to an array when parsing the HTTP request. I personally don't like implicit handling of user input and would like to see a setting to disable this behavior. Right now the default behavior requires us to check every field in the URL scope with isSimpleValue() as it will cause type conversion exceptions otherwise. (Bots seem to attack with these query strings to discover security vulnerabilities in PHP applications, I guess.)

This feature is mentioned here as being a "hidden gem". 🤔

Related setting for treating same-key form fields as array: sameFormFieldsAsArray

Details

Assignee

Michael Offner

Reporter

Alexander Kwaschny

Labels

URLacf-compatscope

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Priority

New

Created 12 July 2021 at 13:26

Updated 25 October 2022 at 16:43

Activity

Adam Cameron
25 October 2022 at 16:40
(edited)

Can this sort of thing - which is a breaking change - not be documented as a “hidden gem”, but documented front and centre in release notes as “this might break yer app”. Also… shouldn’t breaking changes be limited to major releases?

Is there a ticket where this feature was added, btw?

IMO this ought to be removed from Lucee 5, possibly added in Lucee 6, but even then only as an opt-in server setting. It def should never be default behaviour, and that it is should be considered a bug.

Also I've just been reminded of my findings in https://luceeserver.atlassian.net/browse/LDEV-2374. This sort of thing contravenes (the spirit of ~) the RFC, and should def be considered undesirable & unexpected behaviour.

Pothys - MitrahSoft
13 July 2021 at 07:33

I've checked this ticket and confirmed the issue happened on lucee latest version 5.3.8.191-SNAPSHOT too. if there is a square bracket behind query string means, the values are converted to array in URL scope. Seems ACF returns URL scope as struct key with square bracket and list in value. @Michael Offner will decide about this issue.