Renderer methods assume the module exists

Description

I have been getting some errors from spiders that are trying to try different URLs to find a weakness.

The URL is this: /AdminUsers/javascript:void(0);

I think this would just take some sort of change in the Renderer.cfc in the functions locateModuleLayout and locateModuleView.
Something like:
if ( !structKeyExists(variables.modulesConfig,arguments.module) )
return 'whatever the invalidEventHandler event path is'

Activity

Show:
Luis Majano
July 21, 2020, 5:12 PM

Are you using an invalidEventHandler

Matt Graff
July 21, 2020, 6:00 PM

I am yes. Normal 404s are handled. I think it is because it sees this as a module route. When the route is just “/AdminUsers/javascript” it works. When I add the “/AdminUsers/javascript:void(0);” it causes the error.

Element ADMINUSERS.JAVASCRIPT is undefined in a CFML structure referenced as part of an expression.

at cfRenderer2ecfc1070012657$funcLOCATEMODULELAYOUT.runFunction(C:\ColdFusion2018\cfusion\wwwroot\xxxxxx\frameworks\coldbox\system\web\Renderer.cfc:666

 

Is there is a workaround I am missing? Thanks.

Luis Majano
July 22, 2020, 2:57 PM

Ahh ok, that’s what I need to test. So the AdminUsers is a REAL module then.

Matt Graff
July 22, 2020, 7:24 PM

Correct.

The correct URL is mysite.com/AdminUsers/index

If you type in mysite.com/AdminUsers/javascript it will give the proper 404 invalid event screen

if you type in the mysite.com/AdminUsers/javascript:void(0) you will then get the error I posted above…

Assignee

Luis Majano

Reporter

Matt Graff

Labels

None

Components

Affects versions

Priority

Major
Configure