Cflocation url encoding

Hey all,

We are moving a client from Railo to Lucee and we have come across an
interesting issue.

test1.cfm

test2.cfm

#URL.Message#

Railo shows: This is a test message

Lucee shows: This+is+a+test+message

In Railo if you entered “test2.cfm?message=This+is+a+test” in a cflocation
it would just send the URL as is. In lucee it URL encodes it to
“test2.cfm?message=This%2Bis%2Ba%2Btest”.

We have disabled cross site scripting in admin and that didn’t help. Can
someone give this a try or have you seen this before. I’s there a
difference in the way lucee handles cflocation?

Thanks in advance!

What version of Lucee are you running?

Igal Sapir
Lucee Core Developer
Lucee.org http://lucee.org/On 9/29/2016 2:25 PM, W. Williams wrote:

Hey all,

We are moving a client from Railo to Lucee and we have come across an
interesting issue.

test1.cfm

test2.cfm

#URL.Message#

Railo shows: This is a test message

Lucee shows: This+is+a+test+message

In Railo if you entered “test2.cfm?message=This+is+a+test” in a
cflocation it would just send the URL as is. In lucee it URL encodes
it to “test2.cfm?message=This%2Bis%2Ba%2Btest”.

We have disabled cross site scripting in admin and that didn’t help.
Can someone give this a try or have you seen this before. I’s there
a difference in the way lucee handles cflocation?

Thanks in advance!

Get 10% off of the regular price for this years CFCamp in Munich,
Germany (Oct. 20th & 21st) with the Lucee discount code Lucee@cfcamp.
189€ instead of 210€. Visit
CFCamp 2016

You received this message because you are subscribed to the Google
Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to lucee+unsubscribe@googlegroups.com
mailto:lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com
mailto:lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/6d1e9a7b-29a5-4ea6-83a5-272bcb3d421b%40googlegroups.com
https://groups.google.com/d/msgid/lucee/6d1e9a7b-29a5-4ea6-83a5-272bcb3d421b%40googlegroups.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout.

We are using mod_proxy_jp as the connector within apache.

Lucee 5, most recent stable release!
I’m sorry, but that’s not a valid version number.

Igal Sapir
Lucee Core Developer
Lucee.org http://lucee.org/On 9/29/2016 5:40 PM, W. Williams wrote:

Thought I included that info Lucee 5, most recent stable release!

Thought I included that info Lucee 5, most recent stable release!

Lucee 5.0.0.254

While I have not tested this behavior as being different between Railo and
Lucee, I feel the proper behavior is being done by Lucee in this case.
Might I suggest taking a different approach here altogether?

First, your code is highly insecure. Passing message data around on the URL
like that is inherently dangerous and could lead to reflected XSS attacks
against your site. The better approach is to do something like:

test2.cfm?message=XXX

Where XXX is usually a number or combination of letters you then use within
test2.cfm:

if(URL.message eq XXX) {
writeOutput( ‘This is my test message’ );
}

Or, if you expect a number of different messages you could switch/case it
and have a catch-all defaultCase, etc.

At the very least, if you don’t want to do that, then you should do
something like this:

test2.cfm?message=#urlEncodedFormat( ‘My test message’ )#

And in test2.cfm:

writeOutput( encodeForHTML( urlDecode( URL.message ) ) );

Where you URL encode your message text and then decode it and wrap it in
encodeForHTML() to prevent it being used for XSS attacks.

The safer approach is still to use alpha/numeric code you check for and
then present your message based on the code passed in.

HTH

– Denny

Can someone give this a try for us. Just trying to see if it is our
install or just a difference between Railo and Lucee. Is there a way to
change this behavior if it is just Lucee?

Thanks in advance!