Pedantic.
>>-----Original Message-----
>>From: Michiel Boland [mailto:[EMAIL PROTECTED]]
>>Sent: Tuesday, September 04, 2001 9:47 AM
>>To: Spectra-Talk
>>Subject: More spectra bugs
>>
>>
>>Hi.
>>
>>In <cfa_refreshsectionmodel>, on line 30 we see the following
>>
>><cfparam name="pagetypeid"
>>default="070DCB4A-CDA2-11D2-AE210060B0EB4972">
>>
>>There are similar lines for sectiontypeid, etc.
>>
>>The problem with this is that if a user enters a URL variable
>>'pagetypeid'
>>the value of URL.pagetypeid will be used. So essentially any user can
>>crash any spectra application (in theory) by supplying bogus URL
>>parameters.
>>
>>This is very bad. How did this get through QA?
>>
>>The fix is of course to replace the cfparam with cfset statements.
>>
>>
>>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get the mailserver that powers this list at http://www.coolfusion.com
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/spectra_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
