Mapping conflicts with physical folder

Requests to my /tags directory is being internally mapped to a mapping named "/tags" in my application.cfc file. I didn’t know that mappings worked this way with http requests… I thought they were only used internally in my code to reference directories for custom tags or cfmodule calls. But now I’m seeing that Lucee is using my mappings to determine the location of http requests. Is this new to Lucee 6? I never ran into this before with Lucee5/Windows(both IIS and tomcat directly).

Here’s what’s going on:

In application.cfc, I’ve got a mapping to my custom tags folder like so:

this.mappings = {
    "/tags": "project/custom-tags
}

I’ve also got a directory named “tags” in my web root folder:

project/www/tags

What’s happening is that the the /tags request is being mapped internally by Lucee to my /tags mapping, and is returning a 404 because there is no index.cfm in that location. I verified this by adding an index.cfm file in my custom tags folder and it was served by Lucee.

I recently moved my app over from Lucee 5 to 6, from Windows (IIS in production, direct to tomcat in development) to Linux/nginx with Docker, and this behavior does not exist in my 5x world… it doesn’t confuse the /project/www/tags/ folder with the /product/custom-tags folder in the mappings.

I did verify (to my horror) that I can access some of my custom tag folders from a web request (I can’t believe I have not noticed this before!) So I guess the question is, how do I define a mapping that I can use for custom tags, etc., but is not accessible from a web request? Do I need to block access to those directories from the web server?

OS: Linux (5.15.167.4-microsoft-standard-WSL2) 64bit
Java Version: 21.0.7 (Eclipse Adoptium) 64bit
Tomcat Version: 11.0.6
Lucee Version: 6.2.1.122

Lucee 6 has a breaking change which resolves mappings before the filesystem

Such Application.cfc level mappings are only resolved within the application code.

https://luceeserver.atlassian.net/browse/LDEV-2205

Server / admin level mappings have a web accessible flag, which is currently only shown on the edit mapping screen

https://luceeserver.atlassian.net/browse/LDEV-5636

Perhaps you have an admin / .CFConfig.json mapping for /tags set?

2 Likes