My agency recently started using HP's Fortify Scan tool, which is designed to scan CF code directly, rather than the rendered page. The scanner always seems to flag our pages for a certain error when I use the following code (used to create a PDF on the fly):
<cfheader name="Content-Disposition" value="attachment;filename=#pdffile#">
<cfcontent type="application/octet-stream" file="#expandPath('.')#\#pdffile#" deletefile="Yes">
01. is line 299 in my code.
I'm basically generating a filename elsewhere on the page that's based on what a user is requesting, then using the code above to create a downloadable PDF of that file.
The error is:
Header Manipulation (Input Validation and Representation, Data Flow)
The file myfile.cfm includes unvalidated data in an HTTP response header on line 299. This enables attacks such as cache-poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.
I'm thinking there's one of two potential issues.
You need to scope the pdffile variable. Without a specific scope it could be overwritten by incoming url or form variables. I would try that then run the scan again.
So you mean something like:
Yes... that is what I mean.
Thanks! I'll try that tomorrow.
That cleaned up the scan results. You rock!
No problem. Glad you got it all squared away.