An apparent bot made a series of errors in our log today by hitting
some malformed URLs that got me thinking. The URLs looked roughly
The error was "The string instance.context. is not a valid ColdFusion
It's pretty obvious that the empty space between the slashes was being
interpreted as the key name where registeronline.com was the value.
Line 100 of ses.cfc is where the key and value gets set into the event
object. Line 152 of requestContext.cfc is the setValue method where
this code exists (the ulimate source of the error):
<cfset "instance.context.#arguments.name#" = arguments.value>
So, here's my question for discussion: What should be valid names of
variables in the request collection?
If they are going to be valid ColdFusion variable names (can't start
with numbers etc...) then I suggest ses.cfc be modifed to pass the
keys through some regex first. Either that, or
requestContext.setValue do some quick validation. Of course, what to
do in case of a bad name might be a different matter. Should an error
be thrown with poorly named SES URLs, or should the bad ones be
On the other side of the coin, if we want to say that any string which
is a valid key name in a struct (which doesn't exclude much) then
minimally all references to the request collection in
requestContext.cfc would need to be changed to be handled as a struct.