tracker issue : CF-4126480

select a category, or use search below
(searches all categories and all time range)
Title:

False positive when using <cfform>

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Damien Bruyndonckx / Damien Bruyndonckx (Damien Bruyndonckx)

Created: 03/09/2016

Components: Security Analyzer

Versions: 2016

Failure Type:

Found In Build/Fixed In Build: Beta2_v31 /

Priority/Frequency: Minor / Some users will encounter

Locale/System: English / Mac All

Vote Count: 0

Listed in the version 2016.0.01.298513 Issues Fixed doc
Verification notes: verified_fixed on September 29, 2019 using build 2016.0.01.298513 
Problem Description:
If omitting the "Method" attribute when using <cfform>, the default is "method=post" (unlike the default for regular html forms using the <form> tag).

Security code analyser does not take this into account and displays an "getvspost" error. 

The security code analyser dos not see any "Method" attribute and wrongly assumes the HTML default of GET even though a <cffform> tag is used so taht a POST method is effectively used, which causes the error

Steps to Reproduce:
1) create a <cfform>
2) omit the "method" attribute of the <cfform> tag (so POST is used)
3) Run the Secuity code Anlyser on the page containing the <cfform> tag.
4) see the "getvspost" false positive in the results

Actual Result:
A "getvspost" error is mentioned in the Security Analyser result

Expected Result:
No "getVsPost" error mentioned since the method used is effectively POST

Any Workarounds:
Just ignore the error.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4126480

External Customer Info:
External Company: MultimediaCollege
External Customer Name: Damien Bruyndonckx
External Customer Email: DAMIEN.BRUYNDONCKX@GMAIL.COM
External Test Config: Friendly Name: IMac
System Type: Desktop
Brand: Apple 
Model: IMac 27 inches Late 2009
Processor Type: Intel Core 2 Duo
Processor Speed: 2GHz to 3GHz
Memory: 2GB to 4GB
Hard Drive Storage: 1GB-2TB
Peripherals: LCD Display
Peripherals: Printer
Peripherals: Scanner
Peripherals: Web-Cam
Peripherals: Wireless Keyboard
Peripherals: Wireless Mouse
Connectivity: Apple Airport
Connectivity: Ethernet
Interfaces: Firewire
Interfaces: USB 2.x
Media: CD
Media: CD-R
Media: CD-RW
Media: DVD
Media: DVD+R
Media: DVD-R
Media: DVD-RAM
Media: SD Card
Primary Operating System: Mac OS X 10.9 (Mavericks)
Secondary Operating System: Windows 7 64
System Location: Office
Time Owned: 1 to 2 Years
,Friendly Name: MacBookPro
System Type: Laptop
Brand: Apple 
Model: MacBook pro retina 15'' Mod 2014
Processor Type: Intel Core i7
Processor Speed: 2GHz to 3GHz
Memory: 8GB to 16GB
Hard Drive Storage: 500GB-1TB
Peripherals: LCD Display
Peripherals: Web-Cam
Peripherals: Wireless Mouse
Connectivity: Apple Airport
Connectivity: Ethernet
Interfaces: USB 2.x
Media: 
Primary Operating System: Mac OS X 10.9 (Mavericks)
Secondary Operating System: Windows 8 64
System Location: Other
Time Owned: Less than 1 Month

Attachments:

Comments:

Adding BUG AUDIT TRAIL ********action: updated fieldName: Fix By Milestone newValue: Post Release oldValue: Gold Master oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2016-02-29 13:50:57.0 action: updated fieldName: Fix By Product Milestone newValue: HF2 oldValue: Gold Master oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2016-02-29 13:50:57.0 action: updated fieldName: Version newValue: 12.0 oldValue: 3.1 oprid: prk recordName: RQ_DEFECT timpestamp: 2016-01-07 09:55:12.0 action: updated fieldName: Owner newValue: uogra oldValue: prk oprid: prk recordName: RQ_DEFECT timpestamp: 2016-01-07 09:55:12.0 action: updated fieldName: Priority newValue: 1 oldValue: 0 oprid: prk recordName: RQ_DEFECT timpestamp: 2016-01-07 09:55:12.0 action: updated fieldName: Dev Assigned newValue: uogra oldValue: bukkittu oprid: prk recordName: RQ_DEFECT timpestamp: 2016-01-07 09:55:12.0 action: updated fieldName: Product newValue: ColdFusion oldValue: ColdFusion Builder oprid: prk recordName: RQ_DEFECT timpestamp: 2016-01-07 09:55:12.0 action: updated fieldName: Reason newValue: BugVerified oldValue: Blank oprid: prk recordName: RQ_DEFECT timpestamp: 2016-01-07 09:55:12.0 action: updated fieldName: Fix By Product Milestone newValue: Gold Master oldValue: Blank oprid: prk recordName: RQ_DEFECT timpestamp: 2016-01-07 09:55:12.0 action: updated fieldName: Status newValue: ToFix oldValue: Unverified oprid: prk recordName: RQ_DEFECT timpestamp: 2016-01-07 09:55:12.0 action: updated fieldName: QE Assigned newValue: preethi oldValue: prk oprid: prk recordName: RQ_DEFECT timpestamp: 2016-01-07 09:55:12.0 action: updated fieldName: Fix By Milestone newValue: Gold Master oldValue: Blank oprid: prk recordName: RQ_DEFECT timpestamp: 2016-01-07 09:55:12.0
Comment by CFwatson U.
4005 | March 09, 2016 02:16:02 AM GMT
Added By: PreRelease User User Name:Damien Bruyndonckx Note Added: Entered Bug. Date Added :2016-01-06 09:47:45.0
Comment by CFwatson U.
4006 | March 09, 2016 02:16:03 AM GMT
The bug is fixed and will be available in the upcoming update.
Comment by S P.
4007 | March 24, 2016 03:31:25 AM GMT
Hi Adobe, I've verified this is fixed in CF2016 Update 1 (build 2016.0.01.298513). Thanks!, -Aaron
Comment by Aaron N.
31450 | September 29, 2019 06:28:34 AM GMT