RE: [ACFUG Discuss] Issue with cftry and Query of Queries

2014-08-06 Thread Charlie Arehart 
Here are a couple of things to consider:

- a catch will fail to work if the code in the catch causes an error itself, in 
which case the error will be passed up to the next higher errorhandler in the 
chain, or dumped to the screen like a traditional CF error. That said, I see 
your code shows your catch doing nothing that should fail to work, but then the 
comments above it suggest you’ve perhaps removed code you feel it sensitive or 
unimportant. Just know that if there’s any code that was in the real catch, you 
ay want to test if really removing it might make it work
- but second, note that a cfcatch does not abort a request. You would need to 
do that, otherwise the code proceeds to the next line of code, which again in 
your case we can’t tell what’s next but I assume there was more code to this. 
You may want to see what happens if you add in an abort.

Let us know what you think or find. I realize it’s not “the solution” but it 
may help you get to it.

/charlie



From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of troy
Sent: Wednesday, August 06, 2014 12:18 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] Issue with cftry and Query of Queries

 



But my real question is why the error escaped the try/catch block at all. 
 should have caught anything regardless of whether the 
error originated in the contained logic block or some other method called by 
it, yes?

 

 

Thank you,

 

Troy Jones

Re: [ACFUG Discuss] Issue with cftry and Query of Queries

2014-08-06 Thread Cameron Childress 
On Wed, Aug 6, 2014 at 12:41 PM, troy wrote:

>  As far as the rest of the error dump goes, it’s just stack trace
> information. There is no additional information available that makes
> anything any clearer.
>

Usually I look at the stack trace to see what path the code took during
execution. What line of what file etc. Sometimes there is valuable info in
there that you don't expect to find.

 The error is thrown in the above method. As you can see, there is no
> try/catch in that method so the wrapping try/catch statement should have
> caught anything coming from it.
>

A catch found inside this call could also catch it.

request.dalib.returnOvationsXML()

Since you have a sample of what reproduces the error, I would start by
setting url.id = 'thatbadstring' and then just start replacing code and/or
commenting it out till you narrow the problem down to one line or segment
of code.

Specifically, you may want to zoom in and try wrapping the CFQUERY code in
it's own TRY/CATCH just to see if it will catch the error and then work
your way outside of the function from there till you find the problem.

To answer the abstract question about QoQ and catch block, I don't know of
any problem with QoQ errors not being caught by CFCATCH, but I still
haven't seen all the code involved here so it's very hard to know what else
may be causing the problem in your specific case.

One more side note is that you can use the val() function to quickly
convert anything string-like to a number. Your code may be working for you
and you may want to leave it that way but this (IMHO) is shorter and pretty
well established way to clean numeric inputs in CF.

cleanID = val(url.id);

http://help.adobe.com/livedocs/coldfusion/8/htmldocs/help.html?content=functions_t-z_12.html

-Cameron

-- 
Cameron Childress
--
p:   678.637.5072
im: cameroncf
facebook  | twitter
 | google+

RE: [ACFUG Discuss] Issue with cftry and Query of Queries

2014-08-06 Thread troy 
Here is the method that is throwing the uncaught error:

https://gist.github.com/anonymous/f6ea0c785e50f930deb1

It’s really just an abstraction of a  and nothing more.

This is the query string that gets passed as the queryCondition argument (or 
something along these lines, there were 200+ instances of this particular SQL 
injection event).

id=4418616039%22%20and(select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20distinct%20concat(0x7e,0x27,%27ololo%27,0x27,0x7e)%20FROM%20information_schema.schemata%20LIMIT%201))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%20--%20%22x%22=%22x

As far as the rest of the error dump goes, it’s just stack trace information. 
There is no additional information available that makes anything any clearer.

The error is thrown in the above method. As you can see, there is no try/catch 
in that method so the wrapping try/catch statement should have caught anything 
coming from it.

Thank you,

Troy Jones
Technical Manager
Third Wave Digital
1841 Hardeman Ave.
Macon, GA 31201
t...@thirdwavedigital.com
www.thirdwavedigital.com

From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Cameron Childress
Sent: Wednesday, August 06, 2014 12:24 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] Issue with cftry and Query of Queries

On Wed, Aug 6, 2014 at 12:17 PM, troy 
mailto:t...@thirdwavedigital.com>> wrote:
Here is the current code snip:

Okay, still not all the code.

This is the error that was reported:

Not the entire error.

But my real question is why the error escaped the try/catch block at all. 
 should have caught anything regardless of whether the 
error originated in the contained logic block or some other method called by 
it, yes?

As I said, there could be other catch blocks in the other libraries. *That* 
catch would trap error and prevent *your* catch from catching it.

But answering this question really requires the rest of the code and full error.

If anyone sees something else, perhaps they will speak up.

-Cameron

--
Cameron Childress
--
p:   678.637.5072
im: cameroncf
facebook | 
twitter | 
google+

Re: [ACFUG Discuss] Issue with cftry and Query of Queries

2014-08-06 Thread Cameron Childress 
On Wed, Aug 6, 2014 at 12:17 PM, troy  wrote:

>  Here is the current code snip:
>

Okay, still not all the code.


> This is the error that was reported:
>

Not the entire error.

 But my real question is why the error escaped the try/catch block at all.
>  should have caught anything regardless of whether the
> error originated in the contained logic block or some other method called
> by it, yes?
>

As I said, there could be other catch blocks in the other libraries. *That*
catch would trap error and prevent *your* catch from catching it.

But answering this question really requires the rest of the code and full
error.

If anyone sees something else, perhaps they will speak up.

-Cameron

-- 
Cameron Childress
--
p:   678.637.5072
im: cameroncf
facebook  | twitter
 | google+

RE: [ACFUG Discuss] Issue with cftry and Query of Queries

2014-08-06 Thread troy 
I’ll keep that in mind for future questions. Thanks for the heads up……

Here is the current code snip:

https://gist.github.com/anonymous/221cdeef2f606ec8a17c


This is the error that was reported:

Lexical error at line 5, column 63. Encountered: "\"" (34), after : "" null 
The error occurred on line 252.

As far as the error, I’ve addressed the problem with a test of URL.ID. But my 
real question is why the error escaped the try/catch block at all.  should have caught anything regardless of whether the error 
originated in the contained logic block or some other method called by it, yes?



Thank you,

Troy Jones
Technical Manager
Third Wave Digital
1841 Hardeman Ave.
Macon, GA 31201
t...@thirdwavedigital.com
www.thirdwavedigital.com

From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Cameron Childress
Sent: Wednesday, August 06, 2014 12:09 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] Issue with cftry and Query of Queries

Troy-

You haven't really given much detail about your problem. What was the error? 
What line of code? What input caused the problem? What about all the other 
libraries you are including - what does that code look like?

My first guess would be that one of the libraries you are including has a catch 
statement that is not rethrowing the exception...

You may want to use a gist for the code instead of trying to paste it inline 
into an email: https://gist.github.com/

-Cameron

On Wed, Aug 6, 2014 at 11:57 AM, troy 
mailto:t...@thirdwavedigital.com>> wrote:
Today, a page on one of my sites was getting SQL injection bombed. The site’s 
error handling caught the errors but the statement that threw the errors was in 
a try/catch block and should not have, in my estimation, allowed an uncaught 
exception to get to that level. Has anyone experienced any anomalies when using 
 with a Query of Queries inside of it? It could be that I’m 
missing something extremely fundamental but I just don’t see it. This site is 
on CF10 (with all updates) and IIS7.5. Any insight is appreciated.


--
Cameron Childress
--
p:   678.637.5072
im: cameroncf
facebook | 
twitter | 
google+

Re: [ACFUG Discuss] Issue with cftry and Query of Queries

2014-08-06 Thread Cameron Childress 
Troy-

You haven't really given much detail about your problem. What was the
error? What line of code? What input caused the problem? What about all the
other libraries you are including - what does that code look like?

My first guess would be that one of the libraries you are including has a
catch statement that is not rethrowing the exception...

You may want to use a gist for the code instead of trying to paste it
inline into an email: https://gist.github.com/

-Cameron


On Wed, Aug 6, 2014 at 11:57 AM, troy  wrote:

>  Today, a page on one of my sites was getting SQL injection bombed. The
> site’s error handling caught the errors but the statement that threw the
> errors was in a try/catch block and should not have, in my estimation,
> allowed an uncaught exception to get to that level. Has anyone experienced
> any anomalies when using  with a Query of Queries inside of
> it? It could be that I’m missing something extremely fundamental but I just
> don’t see it. This site is on CF10 (with all updates) and IIS7.5. Any
> insight is appreciated.
>


-- 
Cameron Childress
--
p:   678.637.5072
im: cameroncf
facebook  | twitter
 | google+

[ACFUG Discuss] Issue with cftry and Query of Queries

2014-08-06 Thread troy 
Today, a page on one of my sites was getting SQL injection bombed. The site's 
error handling caught the errors but the statement that threw the errors was in 
a try/catch block and should not have, in my estimation, allowed an uncaught 
exception to get to that level. Has anyone experienced any anomalies when using 
 with a Query of Queries inside of it? It could be that I'm 
missing something extremely fundamental but I just don't see it. This site is 
on CF10 (with all updates) and IIS7.5. Any insight is appreciated.

Sidenote:

I am thinking that the qoq() method in the lib() object could use a rewrite but 
this site's framework is obsolete and that is not a viable option.

The code in question:


   
  
 param name="url.id" default="0";
 // added this portion as a workaround to solve the sql 
injection problem, still can't figure out why the exception was not caught
 if(!isNumeric(url.id) || url.id < 0)
   url.id=0;
 // end workaround
 variables.today = dateFormat(now(),"-mm-dd");
 variables.qXML = 
request.dalib.returnOvationsXML(expandPath("/import.xml"));
 variables.qXML = 
application.com.lib.qoq(variables.qXML,"eventDateBegin >= '#variables.today#'");
 // sql injection throws error here
 variables.xmlDetail = 
application.com.lib.qoq(variables.qXML,"eventID = #url.id#");
  
   
   
  

   

  

   

 

   
   
  We're sorry
  Something went wrong while trying to view your selection. 
Please try again later.
  
   



Thank you,

Troy Jones
Technical Manager
Third Wave Digital
1841 Hardeman Ave.
Macon, GA 31201
t...@thirdwavedigital.com
www.thirdwavedigital.com