Object Cast error in Lucee not in CF

112 views
Skip to first unread message

Jay B

unread,
Aug 31, 2015, 4:11:41 PM8/31/15
to Lucee
I'm switching from CF8 to Lucee.

I've been using a cfc to help with input sanitizing (portcullis from riaforge). On the new Lucee server I'm seeing a lot (100's per hour) of errors"

"invalid call of the function filterTags (C:\inetpub\wwwroot\CFC\Portcullis.cfc), first Argument (text) is of invalid type, can't cast Object type [Struct] to a value of type [String];invalid call of the function filterTags (C:\inetpub\wwwroot\CFC\Portcullis.cfc), first Argument (text) is of invalid type, can't cast Object type [Struct] to a value of type [String]"

I understand the message, but I don't understand why I'm getting it. (and why in Lucee but not CF)

all it does is pass some onRequestStart data

<cfset application.Portcullis.scan(url,"url",cgi.remote_addr)>
<cfset application.Portcullis.scan(form,"form",cgi.remote_addr)>
<cfset application.Portcullis.scan(cookie,"cookie",cgi.remote_addr)>


and scan

just loops over the object passed

<cffunction name="scan" output="false" access="public" returntype="Void">
 
<cfargument name="object" required="true" type="Struct"/>
 
<cfargument name="objectname" required="true" type="String"/>
 
<cfargument name="ipAddress" required="true" type="String"/>
 
<cfargument name="exceptionFields" required="false" type="String"/> <!---Comma delimited list of fields not to scan--->
 
<cfset var object2 = StructNew()/>
 
<cfset var result = StructNew()/>
 
<cfset var item= ""/>
 
<cfset var itemname= ""/>
 
<cfset var exFF= variables.instance.exceptionFields/>
 
<cfset var detected= 0/>
 
<cfset var temp= StructNew()/>
 
<cfset var newitem = ""/>
 
<cfset var contents = ""/>
 
<cfset var nameregex = "[^a-zA-Z0-9_]"/>
 
 

 
<!---Filter Tags--->
 
<cfloop collection="#object#" item="item">
 
<cfif ListContainsNoCase(exFF,item,',') eq false>
 
<cfset temp = filterTags(object[item])/>
 
<cfset itemname = REReplaceNoCase(item,nameregex,"","All")>
 
<cfif temp.detected eq true><cfset detected = detected + 1/></cfif>
 
<cfif objectname eq "cookie" and variables.instance.allowJSAccessCookies eq false>
 
<cfheader name="Set-Cookie" value="#itemname#=#temp.cleanText#;HttpOnly">
 
<cfelse>
 
<cfset "#objectname#.#itemname#" = temp.cleanText/>
 
</cfif>
 
</cfif>
 
</cfloop>




It fails at  <cfset temp = filterTags(object[item]) />

I did redo the CFC because it uses the old style scoping (and rather lose scoping) but that didn't seem to help.

This error has no effect on users and doesn't seem to be an issue at all for site operation but it's creating a lot of log files and I'd like to eliminate it.

I've tried wrapping bits in a cftry/catch block but that's doesn't seem to do anything. I've also tried dumping the #object# to a wddx packet and saving to the log file but that hasn't shown me anything out of the ordinary.

I'm a bit stumped.

Any thoughts on what might be happening (or a replacement for portcullis) are much appreciated.

Nando Breiter

unread,
Aug 31, 2015, 7:33:00 PM8/31/15
to lu...@googlegroups.com
filterTags() expects a string and returns a struct (I downloaded the code and looked at the function).

The question I have is this: are the url, form and cookie scopes in Lucee all "flat" in the sense that they only contain strings, and never a nested struct? I don't know. The error and your experience seems to indicate that one of these contains a nested struct and filterTags() doesn't know how to deal with that.



Aria Media Sagl
Via Rompada 40
6987 Caslano
Switzerland

+41 (0)91 600 9601
+41 (0)76 303 4477 cell
skype: ariamedia

--
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/510e4100-8b14-4459-9844-0ad9c3aeb7b0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Nando Breiter

unread,
Aug 31, 2015, 7:47:20 PM8/31/15
to lu...@googlegroups.com
http://www.codfusion.com/blog/page.cfm/projects/portcullis 

Typically in your application.cfm or application.cfc page, you can load Portcullis into a shared scope as a singleton.

<cfif isdefined("application.Portcullis") eq false> 
   <cfset application.Portcullis = createObject("component","com.fusionlink.Portcullis").init()/> 
</cfif>

As far as I know, that's not sufficient to create a singleton, but rather invites a race condition in the gap between the isDefined test and the creation of the object. 

Better would be:

<cfif not StructKeyExists( application, 'Portcullis' )>
<cflock name="PortcullisLock" Timeout="10" ThrownOnTimeout="No" Type="Exclusive">
<cfif not StructKeyExists( application, 'Portcullis' )>
<cfset application.Portcullis = createObject("component","com.fusionlink.Portcullis").init() />
</cfif>
</cflock>
</cfif>





Aria Media Sagl
Via Rompada 40
6987 Caslano
Switzerland

+41 (0)91 600 9601
+41 (0)76 303 4477 cell
skype: ariamedia

Michael Offner

unread,
Sep 1, 2015, 8:17:06 AM9/1/15
to lu...@googlegroups.com
In Lucee cookie, url and form always pointing to the scopes with the same name, in ACF you can overlay the scopes when you have function arguments with the same name. We did not follow this implementation because it makes the scope inaccessible.
 So if for example "url" is a function argument containing a string, you have to write "arguments.url".

Micha
--

Jay B

unread,
Sep 1, 2015, 9:07:31 AM9/1/15
to Lucee
Thanks Nando,

Don't think that's the issue but I'll change it as a best practice. (and thanks for taking the time to research this...above & beyond!)


Jay B

unread,
Sep 1, 2015, 9:12:37 AM9/1/15
to Lucee
Just an FYI for the archive. Nando's code above has a typo 

<cflock name="PortcullisLock" Timeout="10" ThrownOnTimeout="No" Type="Exclusive">

sb

<cflock name="PortcullisLock" Timeout="10" ThrowOnTimeout="No" Type="Exclusive">


Jay B

unread,
Sep 1, 2015, 9:48:04 AM9/1/15
to Lucee
Thanks Micha,

I've updated 


<cffunction name="onRequestStart">
<cfset application.Portcullis.scan(url,"arguments.url",cgi.remote_addr)>
<cfset application.Portcullis.scan(form,"arguments.form",cgi.remote_addr)>
<cfset application.Portcullis.scan(cookie,"arguments.cookie",cgi.remote_addr)>
....

(that's what you meant right?)


And restarted the service. I thought for a minute that had solved my problem but I've just had 10 errors logged in the last 3 minutes.


There isn't any place in the CFC itself that uses any of the scopes mentioned by name


To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com.

Nando Breiter

unread,
Sep 1, 2015, 10:05:22 AM9/1/15
to lu...@googlegroups.com
On Tue, Sep 1, 2015 at 3:07 PM, Jay B <jbi...@gmail.com> wrote:
Thanks Nando,

Don't think that's the issue but I'll change it as a best practice. (and thanks for taking the time to research this...above & beyond!)


Are you referring to the singleton issue or my speculation that one of url, form or cookie scopes may not be flat (contain only strings) in Lucee? If one of those scopes somehow can contain a nested struct, then that would explain the error you are getting, and perhaps the solution would be to filter those out. I'm simply speculating ... 


Jay B

unread,
Sep 1, 2015, 10:23:37 AM9/1/15
to Lucee
The singleton issue. I'm not really sure about the scope issue. As noted, this worked without issue on ACF for years. Micha's post addresses the difference in usage, but didn't seem to help. :/

And I really don't understand why the exception isn't causing any client side issues? I'm not running any kind of error handling for this.


Nando Breiter

unread,
Sep 1, 2015, 10:28:03 AM9/1/15
to lu...@googlegroups.com
How do you know the exception isn't causing an issue for certain requests? I haven't examined the code deeply enough to understand how it handles errors thrown within it, and I'm of course not familiar with your app.



Aria Media Sagl
Via Rompada 40
6987 Caslano
Switzerland

+41 (0)91 600 9601
+41 (0)76 303 4477 cell
skype: ariamedia

On Tue, Sep 1, 2015 at 4:23 PM, Jay B <jbi...@gmail.com> wrote:
The singleton issue. I'm not really sure about the scope issue. As noted, this worked without issue on ACF for years. Micha's post addresses the difference in usage, but didn't seem to help. :/

And I really don't understand why the exception isn't causing any client side issues? I'm not running any kind of error handling for this.


--
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

Jay B

unread,
Sep 1, 2015, 10:32:27 AM9/1/15
to lu...@googlegroups.com
Well I'm not 100% sure but we're doing internal testing with a soft launch of the new site so we're generating most the traffic. Haven't heard of any issues. The CFC has no error handling in it's original form.

My updated version (with modern scoping scheme) does, but I've gone back to using the stock code until I can figure out what the problem is. 

You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/J9lJoPJJOUk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--

Jay Bigam

earthskyart.ca

@jayispainting

Edmonton, AB

 

 

Mark your calendars!

Solo show: Alberta. Of Earth & Sky.

Milner Gallery, Stanley Milner Public Library

January 2-31, 2016

Jay B

unread,
Sep 1, 2015, 10:36:39 AM9/1/15
to Lucee
Not 100% sure but we're doing internal testing with a soft public launch so we're generating most of the traffic Haven't heard of any issues.

The stock code has no error handling but my modified code (with modern scoping scheme) does. I've gone back to the stock though until I can figure out the problem. FWIW, the error handling didn't seem to make a difference for this error in any case.


Nando Breiter

unread,
Sep 1, 2015, 10:39:15 AM9/1/15
to lu...@googlegroups.com
So what happens if you ensure that only strings are passed into the filterTag() function using a conditional to filter out any structs where it is called? Does that eliminate the error?





Aria Media Sagl
Via Rompada 40
6987 Caslano
Switzerland

+41 (0)91 600 9601
+41 (0)76 303 4477 cell
skype: ariamedia

Jay B

unread,
Sep 2, 2015, 11:27:53 AM9/2/15
to Lucee
I put in some struct filtering and logging

<cfif not isstruct(object[item])>

     do filterTags func.....
<cfelse>
   
<cfwddx action="cfml2wddx" input="#object#" output="wddxPacket">
   
<cflog file="PortcullisErrors" text="#wddxPacket#">
</cfif>


 which produces
<wddxPacket version='1.0'>
     
<header/>
         
<data>
             
<struct>
                 
<var name='content'>
                     
<string>downloads</string>
                 
</var>
             
</struct>
         
</data>
</wddxPacket>

 

which would apply to the url index.cfm?content=downloads 

it appears that -every- request is throwing the error (although as I mentioned, it's not affecting client side??)

I'm calling the function

<cfset application.Portcullis.scan(url,"vURL",cgi.remote_addr)>



and the function is set up like so (I've added arguments scope which the stock code doesn't have)

<cffunction name="scan" output="false" access="public" returntype="Void">
 
<cfargument name="object" required="true" type="Struct"/>
 
<cfargument name="objectname" required="true" type="String"/>
 
<cfargument name="ipAddress" required="true" type="String"/>



 
<!---Filter Tags--->

 
<cfloop collection="#arguments.object#" item="item">
 
<cfif not isstruct(arguments.object[item])>
 
<cfset temp = filterTags(arguments.object[item])/>

 
<cfset itemname = REReplaceNoCase(item,nameregex,"","All")>
 
<cfif temp.detected eq true><cfset detected = detected + 1/></cfif>

 
<cfif arguments.objectname eq "cookie" and variables.instance.allowJSAccessCookies eq false>

 
<cfheader name="Set-Cookie" value="#itemname#=#temp.cleanText#;HttpOnly">
 
<cfelse>

 
<cfset "#arguments.objectname#.#itemname#" = temp.cleanText/>
 
</cfif>
 
<cfelse>
 
<cfwddx action="cfml2wddx" input="#arguments.object#" output="wddxPacket">
 
<cflog file="PortcullisErrors" text="#wddxPacket#">
 
<cflog file="PortcullisErrors" text="#item#">
 
</cfif>
 
</cfloop>


I just don't understand how object[item] can be a struct??? [item] should be a string provided by the collection loop? 

<cfloop collection="#arguments.object#" item="item">
 
<cfif not isstruct(arguments.object[item])>




Reply all
Reply to author
Forward
0 new messages