My agency recently started using HP's Fortify Scan tool, which is designed to scan CF code directly, rather than the rendered page. The scanner always seems to flag our pages for a certain error when I use the following code (used to create a PDF on the fly):
<cfheader name="Content-Disposition" value="attachment;filename=#pdffile#"><cfcontent type="application/octet-stream" file="#expandPath('.')#\#pdffile#" deletefile="Yes">
01. is line 299 in my code.
I'm basically generating a filename elsewhere on the page that's based on what a user is requesting, then using the code above to create a downloadable PDF of that file.
The error is:
Header Manipulation (Input Validation and Representation, Data Flow)
The file myfile.cfm includes unvalidated data in an HTTP response header on line 299. This enables attacks such as cache-poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.
I'm thinking there's one of two potential issues.
- expandpath() is exploitable
- The scanner is programmed to flag any variable passed to a cfheader tag.
Any thoughts?