Ran into a bit of an issue with a broken Application.cfc … the error page presented was the error.cfm that spits all the internal stack trace details etc, which is undesirable on a production site.
Based on a bit of research, it seems that in the case where Application.cfc cannot compile, Lucee cannot follow your error-public.cfm directive in your config, and so falls back to an internal one. In my testing though, it seems to fall back to the one that leaks information (error.cfm)
Is there a way to influence this behaviour, or do I have a fundamental misunderstanding on how this is supposed to work?
Phil, like with ACF, when your app-level error handler fails, what Lucee “falls back to” is the error handler defined in the Lucee admin. See Settings>Error.
Change THAT to use the safer/more secure error-public.cfm, rather than the error.cfm you may find it pointing to by default.
This can also be configured in the .CFconfig.json file, which is what the Lucee admin modifies.
FWIW, this is discussed in a couple of places, though i realize you’d not find them if looking for a solution from that perspective of a broken application.cfc.
Hi carehart … thanks for the reply. However I’m actually talking about an edge case only where Application.cfc cannot compile and in this case Lucee does not obey the CFconfig directive and uses error.cfm only it seems.
Are you saying you confirmed in the admin (or that central json file) that it points to error-public.cfm?
If instead you find it pointing to error.cfm,I’m proposing that changing it there (not in your application.cfc) should be the solution you’re requesting.
Thanks for your persistence … I’ve done some more testing and it seems like there was an issue with the configuration syntax which meant it wasn’t setup the way I thought. Sorry for the noise!
Fair enough, and thanks for the update. But readers following along may benefit from some clarity, if it could happen to them.
Do you mean perhaps you had an error in your .Cfconfig.json about this setting, if you thought you’d set it to error-public.cfm there?
More specifically, did you perhaps find in the admin that it was NOT set to error-public.cfm?
Most important, can you confirm that if you then have a syntax error in application.cfc, the error-public.cfm does run and hides your error details, as desired?
Feel free to just reply with quick yes/no answers as 1, 2, and 3 if that works well.
It was purely a syntax issue in cfconfig, where as part of conversion from legacy XML config the error handling config didn’t use the right syntax so wasn’t picking up properly. Obviously my testing methodology was flawed in a way I don’t understand, as when I redid all the testing from scratch today the issue became obvious. So yes, when set correctly via admin, it does use error-public and hides the details correctly.
