Colon (:) in URL Path Causes Exception Error

Description

I recently noticed that if someone (or a bot) attempts to load a URL containing a colon (:), it will generate an exception error:
"Element https is undefined in a CFML structure referenced as part of an expression."
coldbox\system\web\Renderer.cfc Line 720

You can replicate the issue on any Coldbox app by hitting a URL pattern like:
https://www.yourdomain.com/index.cfm/https:/anything

I can think of a few ways to address the issue, but I would be inclined to not allow colon characters as module or handler names and instead have Coldbox trigger the invalidEventHandler if any invalid characters are detected.

The downside of adding a check like this is that it could cause performance issues if a URL pattern regex needs to run on every request.

Another possibility would be to wrap the code on line 720 in a try/catch statement and then if an exception is generated due to bad characters, then the invalidEventHandler could be triggered.

Activity

Show:
Jon Clausen
November 10, 2020, 12:38 PM

There are use cases in which colon characters are used as part of valid URL routes ( e.g. Elasticsearch task identifiers use them )

IMHO, we should address the list parsing exception that is at the root of this error.

Luis Majano
November 10, 2020, 2:59 PM

you can already use the coldbox.invalidEventHandler to intercept invalid request and present a nice 404. This will fire when invalid events are detected and nothing is matched, if not, basically the renderer is the last line of defense trying to render something by convention.

I am hesitant to add anything else if you can already intercept these type of events via invalidEventHandler

David Levin
November 11, 2020, 4:03 PM
Edited

that makes sense, and I agree for performance reasons that checking for characters or performing any sanitization beforehand is a bad idea. However, I do think has a good point that the exception error that gets generated in the renderer is a problem, even if you use your own invalidEventHandler to render a view.

I’ve been sifting through the Coldbox code to see if I could come up with a fix but I’m stuck. I’ll spend some time this week coming up with a quick and dirty example that can be easily replicated so you can see the error.



David Levin
November 17, 2020, 10:26 PM

Thanks for your patience while I put together a reproducible example. Here’s how you can easily replicate the issue:

Create a new Coldbox app via Commandbox:
coldbox create app

Update the /config/coldbox.cfc setting for invalidEventHandler` to read main.onMissingPage

Create a new method in /handlers/Main.cfc:

Create a new page in /views/main/ called 404.cfm and include something like:

Fire up your server with server start and make sure it loads okay.

Now go to a missing page (replace port with your server’s port):
http://127.0.0.1:[port]/nopage/

You should see the message “Invalid Page!”.

Now try this URL:
http://127.0.0.1:[port]/nopage:/

You’ll get an exception error. key [nopage] doesn't exist (Lucee) or Element NOPAGE is undefined in a CFML structure referenced as part of an expression. (ACF)

Hopefully, this helps!

Assignee

Luis Majano

Reporter

David Levin

Labels

None

Priority

Minor
Configure