Hi. We’ve ran into an edge-case in Lucee, caused by pentesters querying random URLs.
If someone requests test.cfm?p=hello&p.ico, on Adobe that’d result in URL={“p”=“hello”,“p.ico”=“”}. Whereas on Lucee it results in URL={“p”={“ico”:“”},“p.ico”=“”}.
For more background context, internally, when someone makes a request to /tasks/:id/milestones.json, we have nginx code rewrite that as e.g. test.cfm?p=tasks&p=123&p=milestones for example. But if someone visits milestones.json?p.ico, because of this Lucee edge-case, that results in it wiping URL.p, replacing it with an ico struct.
I’ve tested against both the latest version of Lucee 5 and Lucee 6 and am seeing this behaviour.
EDIT: We can fix our code by just ignoring URL.p if it’s not a string, I just figured I’d raise it anyway.