Ran into a bit of an issue with a broken Application.cfc … the error page presented was the error.cfm that spits all the internal stack trace details etc, which is undesirable on a production site.
Based on a bit of research, it seems that in the case where Application.cfc cannot compile, Lucee cannot follow your error-public.cfm directive in your config, and so falls back to an internal one. In my testing though, it seems to fall back to the one that leaks information (error.cfm)
Is there a way to influence this behaviour, or do I have a fundamental misunderstanding on how this is supposed to work?
Phil, like with ACF, when your app-level error handler fails, what Lucee “falls back to” is the error handler defined in the Lucee admin. See Settings>Error.
Change THAT to use the safer/more secure error-public.cfm, rather than the error.cfm you may find it pointing to by default.
This can also be configured in the .CFconfig.json file, which is what the Lucee admin modifies.
FWIW, this is discussed in a couple of places, though i realize you’d not find them if looking for a solution from that perspective of a broken application.cfc.
Hi carehart … thanks for the reply. However I’m actually talking about an edge case only where Application.cfc cannot compile and in this case Lucee does not obey the CFconfig directive and uses error.cfm only it seems.
Are you saying you confirmed in the admin (or that central json file) that it points to error-public.cfm?
If instead you find it pointing to error.cfm,I’m proposing that changing it there (not in your application.cfc) should be the solution you’re requesting.
