Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is the CFDUMP tag modifiable?

Tags:

coldfusion

With ColdFusion MX7 if we encounter an exception we send an email to the development team containing dumps of the various data scopes including the form structure.

This works great for debugging except in the case of an error when the user logs in. We end up getting the password printed out.

So, the question is, is there a way to modify the CFDUMP file so that it filters the password value out of the form object?

Naturally we could put it in the same code that sends the email, however it would be ideal to put it in the CFDUMP file so that we do not have to worry about it showing up in other spots.

I have located the CFDUMP file and it seems to be binary, so I'm guessing we can't do it.

like image 279
Tom Hubbard Avatar asked Jul 30 '09 11:07

Tom Hubbard


3 Answers

You can copy the dump.cfm file to dumporiginal.cfm, and then make a new dump.cfm that calls dumporiginal.cfm.

<!--- 
  So that it won't execute twice if you 
  have a closing slash (<cfdump ... />) 
---> 
<cfif thisTag.executionMode neq "start">
  <cfexit method="exitTag" />
</cfif>


<!--- 
  defaults for optional attributes, taken from the docs 
  http://livedocs.adobe.com/coldfusion/8/htmldocs/Tags_d-e_08.html
--->
<cfparam name="attributes.expand" default="yes" />
<cfparam name="attributes.format" default="html" />     
<cfparam name="attributes.hide" default="all" />     
<cfparam name="attributes.keys" default="9999" />     
<cfparam name="attributes.label" default="" />      
<cfparam name="attributes.metainfo" default="yes" />     
<cfparam name="attributes.output" default="browser" />     
<cfparam name="attributes.show" default="all" />     
<cfparam name="attributes.showUDFs" default="yes" />     
<cfparam name="attributes.top" default="9999" />     

<!--- Hide the password, but store its value to put it back at the end --->
<cfif isStruct(attributes.var) and structKeyExists(attributes.var, 'password')>
  <cfset originalPassword = attributes.var.password />
  <cfset attributes.var.password = "{hidden by customized cfdump}"/>
</cfif>   

<!--- 
   Call the original cfdump. 
   Which attributes you pass depends on CF version. 
--->              
<cfswitch expression="#listFirst(server.coldfusion.productVersion)#">
<cfcase value="6">
  <cfdumporiginal 
      var = "#attributes.var#"
      expand = "#attributes.expand#" 
      hide = "#attributes.hide#"
      label = "#attributes.label#"
      >
</cfcase>
<cfcase value="7">
  <cfdumporiginal 
      var = "#attributes.var#"
      expand = "#attributes.expand#" 
      hide = "#attributes.hide#"
      label = "#attributes.label#"
      top = "#attributes.top#"
      >
</cfcase>  
<cfdefaultcase>     
  <cfdumporiginal 
      var = "#attributes.var#"
      expand = "#attributes.expand#" 
      format = "#attributes.format#"
      hide = "#attributes.hide#"
      keys = "#attributes.keys#"
      label = "#attributes.label#"
      metainfo = "#attributes.metainfo#"
      output = "#attributes.output#"
      show = "#attributes.show#"
      showUDFs = "#attributes.showUDFs#"
      top = "#attributes.top#"
      >
</cfdefaultcase>
</cfswitch>

<!--- Restore the password, in case it's read after cfdump call ---> 
<cfif isDefined("originalPassword")>
  <cfset attributes.var.password = originalPassword />
</cfif>
like image 90
Patrick McElhaney Avatar answered Nov 10 '22 02:11

Patrick McElhaney


No, I don't think there is a way to modify <cfdump>'s behavior. I can't be sure, obviously. It's thinkable that such a hack exists, though it's not necessarily recommendable.

Why not go with a simple:

<cftry>
  <cfset DoSomethingThatFails()>

  <cfcatch>
    <cfif StructKeyExists(FORM, "Password")>
      <cfset FORM.Password = "***">
    </cfif>
    <cfdump var="#FORM#">
  </cfcatch>
</cftry>
like image 25
Tomalak Avatar answered Nov 10 '22 02:11

Tomalak


CFDUMP began life as a custom tag (CF_DUMP) way back in the CF5 days. You could always get the code for that custom tag and modify it to your needs and use that instead of the built-in tag.

like image 32
ale Avatar answered Nov 10 '22 01:11

ale