tracker issue : CF-3222889

select a category, or use search below
(searches all categories and all time range)

GetPageContext().getRequest().getParameter('param_name') is undefined

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Charles Leverette / Charles Leverette (clever71)

Created: 06/25/2012

Components: Core Runtime

Versions: 10.0

Failure Type: Usability Issue

Found In Build/Fixed In Build: Final / CF10_Update14

Priority/Frequency: Major / All users will encounter

Locale/System: English / Win Vista

Vote Count: 8

Problem Description:  GetPageContext().getRequest().getParameter('param_name') is undefined

Steps to Reproduce:

1. Create CFM page with following code:
<cfif structkeyexists(form, "submit")>
    <cfdump var="#GetPageContext().getRequest().getParameter('username')#" />

<form name="test" method="post">
    <input type="text" name="username" value="" >
    <input type="submit" name="submit" value="submit" >

2. Run above CFM page.

Actual Result:  There is none, displaying "undefined".

Expected Result: "" should be displayed

Any Workarounds: There are none.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3222889

External Customer Info:
External Company:  
External Customer Name: clever71
External Customer Email:  
External Test Config: My Hardware and Environment details:   ColdFusion 10 Standalone, Windows Vista



Created forum post...
Comment by External U.
18860 | June 25, 2012 10:42:43 AM GMT
A workaround, I guess would be to use the FORM scope or getPageContext().getFusionContext().getFormScope()
Comment by External U.
18861 | June 26, 2012 09:11:17 AM GMT
This should be fixed to ensure backwards compatibility. If it worked it 9, it should in 10.
Vote by External U.
18871 | June 27, 2012 03:21:50 PM GMT
It should work in 10 if it worked in 9
Vote by External U.
18872 | June 30, 2012 06:34:10 PM GMT
Indeed it works on CF8 and CF9, but fails in CF10. Any plan on fixing this ASAP ? I can no longer use it for such a situation :
Vote by External U.
18873 | December 02, 2012 02:59:18 PM GMT
Is there any reason why you cannot use the Form.username directly and would like to use this method? GetPageContext().getRequest().getParameter('username') has never been documented and it is not supported.
Comment by Rupesh K.
18862 | September 04, 2013 07:27:49 AM GMT
Rupesh, both getParameter() and getParameterMap() are part of the PageContext spec (well: the ServletRequest spec, which is what PageContext().getRequest() returns. So it's a bug that you don't implement them, surely? -- Adam
Comment by External U.
18863 | September 04, 2013 10:29:22 AM GMT
we don't have the implementation for servletRequest.That comes from the underlying application server. You can see it for yourself by checking the cfdump of GetPageContext().getRequest()
Comment by Rupesh K.
18864 | September 10, 2013 02:27:09 PM GMT
This is the method ESAPI4CF uses for authentication. This bug means ESAPI4CF cannot support CF10. Using form.username/password is not an option. Referencing it directly would break encapsulation and username/password cannot be passed as arguments due to logging and that ESAPI4CF uses the same method to persist a user as it does to login a user. Fixing this is a must in order for ESAPI4CF to support CF10.
Vote by External U.
18874 | September 20, 2013 07:20:14 PM GMT
Can I ask why this is marked as NeverFix, ThirdParty? Last I checked the GetPageContext function is supported and documented in the CF docs. What this function returns should also be considered supported. This worked in CF8, CF9, and works in Railo.
Comment by External U.
18865 | September 20, 2013 07:43:26 PM GMT
I agree that this should be repaired in CF 10. This supports an open security standard, and we need all the security we can get.
Vote by External U.
18875 | September 20, 2013 11:03:23 PM GMT
What's that supposed to mean, Rupesh? The very code you pointed us to DEMONSTRATES that these methods are a) there; b) supposed to work! Here is the link to the docs in the implementation of PageContext you are using: Now... what's more likely to be the case here? Apache have screwed up the implementation of the underlying class (and this has gone unreported)? Or you have screwed up your integration of it? -- Adam
Comment by External U.
18866 | September 24, 2013 06:40:27 AM GMT
Of course the method is there since it is part of the interface. It is just that the call for getParameter('param') is returning null and we will have to debug Tomcat source to understand that. This object is coming from Tomcat and we don't have any control on it and hence we can't do much about it. However, I am curious to know the scenarios when you would like to use it. We anyway provide you the Form scope through which you would get all the request parameters. What would be the scenario when you would not want to use the Form scope and use the getParameter method of the request object? We exposed the API to get the underlying application server's pageContext object and we are giving that. But if some method on that object is not working correctly, it would certainly be not a bug with ColdFusion, would it?
Comment by Rupesh K.
18867 | September 24, 2013 10:04:38 AM GMT
This regression needs to be fixed, or at least provided with a more reasoned, meaningful response as to why this will not be fixed. Completely takes real implementation of ESAPI with CF10 off the table.
Vote by External U.
18876 | September 24, 2013 10:14:42 AM GMT
"This object is coming from Tomcat and we don't have any control on it and hence we can't do much about it." From Micha's dealing with the same issue on Railo, I think perhaps you are mistaken. It might be an idea if you touch base with them to get some help with this if you don't understand how it works. Micha's feedback is here: He identified and fixed the issue in about 2h. Probably less. -- Adam
Comment by External U.
18868 | September 25, 2013 03:06:27 AM GMT
Worked in CF8, CF9 and works in Railo. Fix it.
Vote by External U.
18877 | October 01, 2013 12:15:42 PM GMT
cf_ron 8:44:42 AM GMT+00:00 Sep 24, 2013 "...Completely takes real implementation of ESAPI with CF10 off the table." Rupseh, to this point - please see the below example. The first is what has been described in this thread so far. The second is leveraging ESAPI4J, which is included with CF, to attempt to retrieve parameters via a secure mechanism. This security is not found when accessing the parameters via the form scope. writeoutput('<p>direct'); writedump(getPageContext().getRequest().getParameter("username")); writedump(getPageContext().getRequest().getParameter("password")); writeoutput('<p>esapi4j'); esapi4j = createObject("java", "org.owasp.esapi.ESAPI"); esapi4j.httpUtilities().setCurrentHTTP(getPageContext().getRequest(), getPageContext().getResponse()); writedump(esapi4j.currentRequest().getParameter("username")); writedump(esapi4j.currentRequest().getParameter("password")); Running this code in Railo 4.1, CF8, and CF9 returns the correct data. Running under CF10, the ESAPI4J example returns undefined for both parameters. ESAPI4CF attempts to mirror ESAPI4J wherever possible in order to provide an easy to use implementation of the ESAPI security tools. This issue affects the ESAPI4CF project as well. The ESAPI4CF issue is being tracked here:
Comment by External U.
18869 | November 16, 2013 02:04:11 PM GMT
I should note that my examples are from a form POST with 2 fields names username and password.
Comment by External U.
18870 | November 16, 2013 02:08:27 PM GMT
Please treat this as a bug. 1) this maintains backward compatibility with existing applications. 2) it will maintain CFML / JSP compatibility
Vote by External U.
18878 | February 27, 2014 01:09:00 PM GMT