tracker issue : CF-4126922

select a category, or use search below
(searches all categories and all time range)
Title:

Should not mark some tag-specific variables as XSS (RecordCount/CurrentRow)

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/Duplicate

Reporter/Name(from Bugbase): David Epler / David Epler (David Epler)

Created: 03/09/2016

Components: Security Analyzer

Versions: 2016

Failure Type:

Found In Build/Fixed In Build: CF2016_Final /

Priority/Frequency: Major / All users will encounter

Locale/System: ALL / Win 2008 Server R2 64 bit

Vote Count: 0

Duplicate ID:	CF-4087973

Problem Description:
Given the code:

<cfquery name="listing" datasource="cfartgallery">
    SELECT      ARTISTID, FIRSTNAME, LASTNAME, EMAIL, THEPASSWORD, ADDRESS, CITY, STATE, POSTALCODE, PHONE, FAX 
    FROM        ARTISTS
    WHERE       1=1
</cfquery>
<cfoutput>
<h1>#listing.recordCount#</h1>
<ul>
<cfloop query="listing">
	<li>#listing.currentRow# - #encodeForHTML(listing.lastName & ", " & listing.firstName)#</li>
</cfloop>
</ul>
</cfoutput>

Actual Result:

listing.recordCount and listing.currentRow are marked as XSS, Error, High

Expected Result:

They should not be marked or at least be reduced in type and severity. Both are tag-specific variables, are system generated, and are integers.

Other tag-specific variables should also follow this:

cfquery/cfldap/cfpop/cfsearch
queryname.CurrentRow 
queryname.RecordCount 


CFQUERY.ExecutionTime
CFSTOREDPROC.ExecutionTime 
CFSTOREDPROC.StatusCode

Any Workarounds:

None

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4126922

External Customer Info:
External Company:  
External Customer Name: David Epler
External Customer Email:  
External Test Config: My Hardware and Environment details:

Attachments:

Comments:

Hi David, There is an internal bug with a similar scenario that was logged, hence will be closing this bug and be extending the scenario to the ones raised here as well. Now, that bug has been made external. Thanks, Preethi
Comment by S P.
3313 | March 14, 2016 03:22:55 AM GMT
Preethi, I searched all bug bases that I have access to before logging it. So while it might be logged internally, it needs to be viewable to external now that it has been identified externally. Be it making the the internal one viewable here or by linking the two together.
Comment by External U.
3314 | March 15, 2016 02:06:32 PM GMT
Hi David, I had made the other bug external before closing this bug so that it could be viewed publicly. Also have added the scenarios highlighted in this bug to the other bug and the bug id has been specified in the 'Duplicate id' field. Thanks, Preethi
Comment by S P.
3315 | March 16, 2016 06:30:35 AM GMT