argumentCollection does not work for cfdocument?

Just noticed cfdocument method does not seem to support argumentCollection parameter.
Is this an oversight or is there a reason for it?
I’m trying to create a generic PDF creator function where the params are passed in from dynamic configuration, but without argumentCollection it seems i would have to declare every possible cfdocument argument and permutations based on my dynamic config?

Lucee (windows, IIS)

<cfset myArgs = {"format":"pdf",
<cfdocument argumentCollection="#myArgs#">

Exception: type=template
Attribute [argumentcollection] is not allowed for tag [cfdocument] valid attribute names are [backgroundvisible,encryption,filename,fontembed,fontdirectory,format,page,margin,marginbottom,marginleft,marginright,margintop,mimetype,name,orientation,overwrite,ownerpassword,pageheight,pagewidth,pagetype,permissions,scale,src,srcfile,type,unit,userpassword,proxyhost,proxyport,proxyuser,proxypassword,bookmark,htmlbookmark,localurl,authuser,authpassword,useragent,saveasname]

Well looks like i can create the entire cfdocument call as a string and then user the render() function to invoke it, which allows for the dynamic arguments to be inserted easily enough.

hi, you should use attributeCollection instead of argumentCollection

1 Like is subject to a CVE and you need to upgrade immediately to at least

Thank you @Zackster - is there any details on the nature of the CVE so i can assess/pass on to my IT team?
Alternately, if you say its uber crtical I’ll take your word on faith.

Ah gosh! I felt like i was missing something silly, i even saw this in various documentation pages but my eyes glossed it over as argumentCollection.

Nevermind, i found your comments in the main thread about publishing final hotfixes and writeup, so will wait on that - i’m sure you’ve been asked this question a thousand times already.

@Zackster We really have been telling everyone, everywhere and for weeks now to urgently update their servers. There have been advisories here at the forum at a very prominent hero position, at Twitter, at Slack, LinkedIn, at the official website, the offical CVE channels, and more. If admins really don’t care, then its up to them. What else can we do?

Now I understand, why MS sometimes triggers and forces an update remotely in a manner, that it would just do it.

The notifications have been good i think.
Its just without there being any information about the nature of the vulnerability its hard to assess how truly critical it is.
It sounds important, but under all circumstances? For example if my application is on intranet only and not accessible over the web is it still as critical? Is it only if certain tags have not been locked down?

I’m basically waiting for the information to be made available, or a lucee dev plainly stating “For the love of god, patch your system no matter what!” or something to that effect…