I’ve seen related issues come up e.g. (https://lucee.daemonite.io/t/error-graph-cfm/9483), but in my case, I am getting hit by a hacker that triggers calls to graph.cfm with made-up GUID image names - no idea why - like ~400,000 times day and keeps changing IP when I block. So my logs and papertrail are swamped with the stack trace from this exception from the graph.cfm code…
<cfif structKeyExists(url,"img") && structKeyExists(url,"type")>
<cfcontent file="#GetTempDirectory()#/graph/#listLast(url.img,'/\#server.separator.file#')#" type="image/#url.type#"><cfsetting showdebugoutput="no">
<cfelse>
<cfheader statuscode="404" statustext="Invalid Access">
</cfif>
He does provide a url.img and a url.type - so the 404 is not triggered.
The exception is
“file or directory [###/web-contexts/11972343f64841658ff7fb11ba374fbd/temp//graph/05549805-2105-4502-ABA2C8E18A1359AF.jpg] does not exist;lucee.runtime.exp.ExpressionException: file or directory [###/web-contexts/1197728df64841658ff7fb11ba374fbd/temp//graph/05549805-2105-4502-ABA2C8E18A1359AF.jpg] does not exist”
Originally I thought it was tied to some lucee bug where the “//” in temp//graph was the issue - but actually that seems irrelevant as lucee can figure that out. Lucee (quite reasonably) just throws an exception because the file isn’t there.
The only idea I have is to alter graph.cfm on my servers to add a check to see if the file exists (and check it whenever i upgrade), unless anyone has a better idea.
thanks