nice post, Pete!
and another good reason for Lucee not to follow ACF’s
“keys-containing-dots” methodology.
I don’t believe that Lucee is susceptible to the vulnerability you
mentioned though, because the Session scope (as well as the related
Request and Application scope) is not part of the Standard Scope
Cascade: [Local, Arguments], Variables, CGI, URL, Form, Cookie
Igal Sapir
Lucee Core Developer
Lucee.org http://lucee.org/On 6/15/2015 5:30 PM, Pete Freitag wrote:
Hi,
Good article, you might consider also mentioning the setting:
this.scopeCascading = “strict”;
in your Application.cfc or in the Lucee Admin.
I wrote a blog entry about a potential security issue I call scope
injection which Railo/Lucee can easily prevent using that setting:
Scope Injection in CFML
On Monday, June 15, 2015, Andrew Dixon <@Andrew_Dixon mailto:Andrew_Dixon> wrote:
Hi All,
Just to let you all know there is a new blog post from Igal:
http://lucee.org/blog/optimizing-your-code-scope-cascading.html
Also, if anyone has anything interesting they would like to share
on the blog, like this sort of article, then please email me
directly (off list) and we can see about getting it shared via the
Lucee blog. Thanks.
Kind regards,
Andrew
about.me <http://about.me/andrew_dixon> - mso
<http://www.mso.net> - Lucee Association Member <http://lucee.org>
--
You received this message because you are subscribed to the Google
Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to lucee+unsubscribe@googlegroups.com
<javascript:_e(%7B%7D,'cvml','lucee%2Bunsubscribe@googlegroups.com');>.
To post to this group, send email to lucee@googlegroups.com
<javascript:_e(%7B%7D,'cvml','lucee@googlegroups.com');>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAG1WijX%3DY7bpSHe%2BeE1NJK2D2BTWo6MFv8q3QCtQzE8YqJmS7w%40mail.gmail.com
<https://groups.google.com/d/msgid/lucee/CAG1WijX%3DY7bpSHe%2BeE1NJK2D2BTWo6MFv8q3QCtQzE8YqJmS7w%40mail.gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
–
Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner
–
You received this message because you are subscribed to the Google
Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to lucee+unsubscribe@googlegroups.com
mailto:lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com
mailto:lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAADZ8V4XtRVZ42cZSF164-QgWXM05VGv4D-S2sT1wne2Tn%3DSsw%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAADZ8V4XtRVZ42cZSF164-QgWXM05VGv4D-S2sT1wne2Tn%3DSsw%40mail.gmail.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout.