argumentCollection does not work for cfdocument?

ebrewer · October 12, 2023, 3:56pm

Just noticed cfdocument method does not seem to support argumentCollection parameter.
Is this an oversight or is there a reason for it?
I’m trying to create a generic PDF creator function where the params are passed in from dynamic configuration, but without argumentCollection it seems i would have to declare every possible cfdocument argument and permutations based on my dynamic config?

Lucee 5.3.8.189 (windows, IIS)

<cfset myArgs = {"format":"pdf",
	"saveasname":"LuceePdfTest.pdf",
	"pagetype":"letter",
	"orientation":"landscape",
	"margin":{top:.1,bottom:.4,left:.05,right:.05}
}>
<cfdocument argumentCollection="#myArgs#">
Test
</cfdocument>

RESULT
Exception: type=template
Attribute [argumentcollection] is not allowed for tag [cfdocument] valid attribute names are [backgroundvisible,encryption,filename,fontembed,fontdirectory,format,page,margin,marginbottom,marginleft,marginright,margintop,mimetype,name,orientation,overwrite,ownerpassword,pageheight,pagewidth,pagetype,permissions,scale,src,srcfile,type,unit,userpassword,proxyhost,proxyport,proxyuser,proxypassword,bookmark,htmlbookmark,localurl,authuser,authpassword,useragent,saveasname]

ebrewer · October 12, 2023, 4:54pm

Well looks like i can create the entire cfdocument call as a string and then user the render() function to invoke it, which allows for the dynamic arguments to be inserted easily enough.

Ivan · October 12, 2023, 6:14pm

hi, you should use attributeCollection instead of argumentCollection

Zackster · October 12, 2023, 6:26pm

5.3.8.189 is subject to a CVE and you need to upgrade immediately to at least 5.3.8.237

ebrewer · October 12, 2023, 6:30pm

Thank you @Zackster - is there any details on the nature of the CVE so i can assess/pass on to my IT team?
Alternately, if you say its uber crtical I’ll take your word on faith.

ebrewer · October 12, 2023, 6:31pm

Ah gosh! I felt like i was missing something silly, i even saw this in various documentation pages but my eyes glossed it over as argumentCollection.
Thanks!

ebrewer · October 12, 2023, 6:43pm

Nevermind, i found your comments in the main thread about publishing final hotfixes and writeup, so will wait on that - i’m sure you’ve been asked this question a thousand times already.

andreas · October 12, 2023, 8:24pm

@Zackster We really have been telling everyone, everywhere and for weeks now to urgently update their servers. There have been advisories here at the forum at a very prominent hero position, at Twitter, at Slack, LinkedIn, at the official website, the offical CVE channels, and more. If admins really don’t care, then its up to them. What else can we do?

Now I understand, why MS sometimes triggers and forces an update remotely in a manner, that it would just do it.

ebrewer · October 12, 2023, 8:48pm

The notifications have been good i think.
Its just without there being any information about the nature of the vulnerability its hard to assess how truly critical it is.
It sounds important, but under all circumstances? For example if my application is on intranet only and not accessible over the web is it still as critical? Is it only if certain tags have not been locked down?

I’m basically waiting for the information to be made available, or a lucee dev plainly stating “For the love of god, patch your system no matter what!” or something to that effect…