SSL Interceptor validation

ColdBox 2.6.2

An apparent bot made a series of errors in our log today by hitting
some malformed URLs that got me thinking. The URLs looked roughly
like this: /

The error was "The string instance.context. is not a valid ColdFusion
variable name."

It's pretty obvious that the empty space between the slashes was being
interpreted as the key name where was the value.

Line 100 of ses.cfc is where the key and value gets set into the event
object. Line 152 of requestContext.cfc is the setValue method where
this code exists (the ulimate source of the error):
<cfset "" = arguments.value>

So, here's my question for discussion: What should be valid names of
variables in the request collection?

If they are going to be valid ColdFusion variable names (can't start
with numbers etc...) then I suggest ses.cfc be modifed to pass the
keys through some regex first. Either that, or
requestContext.setValue do some quick validation. Of course, what to
do in case of a bad name might be a different matter. Should an error
be thrown with poorly named SES URLs, or should the bad ones be

On the other side of the coin, if we want to say that any string which
is a valid key name in a struct (which doesn't exclude much) then
minimally all references to the request collection in
requestContext.cfc would need to be changed to be handled as a struct.



HI Brad,

I think the best approach is to do a check on the variable, if the variable is syntactically sane then try to get the value. If the value fails, then ignore the name-value pair as it was not a valid CF variable.

I will create a ticket for this and work on it in the weekend.

That sounds like a reasonable idea. All of my events should already
have appropriate error checking in place to notice if all the
parameters they were expecting didn't make it in.


This is on SVN now fixed. The approach is a little different. The variable is checked for validity, if it fails, the variable name will be called:

This will be in the request collection, it tells you that it was an invalid variable name and the position in the url.