add support to limit the isDefined function

core/src/main/cfml/context/admin/server.security.cfm

@@ -14,7 +14,7 @@
 	returnVariable="hasAccess"
 	secType="setting"
 	secValue="yes">
-
+	
 
 <!--- 
 Defaults --->
@@ -32,7 +32,7 @@ Defaults --->
 					action="updateSecurity"
 					type="#request.adminType#"
 					password="#session["password"&request.adminType]#"
-
+					limitIsDefined="#form.limitIsDefined?:false#"
 					varUsage="#form.varUsage#"
 					remoteClients="#request.getRemoteClients()#">
 
@@ -44,7 +44,7 @@ Defaults --->
 					action="updateSecurity"
 					type="#request.adminType#"
 					password="#session["password"&request.adminType]#"
-
+					limitIsDefined=""
 					varUsage=""
 					remoteClients="#request.getRemoteClients()#">
 
@@ -68,29 +68,25 @@ Redirtect to entry --->
 Error Output --->
 <cfset printError(error)>
 <cfscript>
-
-
 	stText.security.desc="All settings that concern security in Lucee.";
 	stText.security.varUsage="Variable Usage in Queries";
 	stText.security.varUsageDesc="With this setting, you can control how Lucee handles variables used within queries.";
 
 	stText.security.varUsageIgnore="Allow variables within a query";
 	stText.security.varUsageWarn="Add a warning to debug output";
 	stText.security.varUsageError="Throw an exception";
-
 </cfscript>
 <cfoutput>
 	<cfif not hasAccess>
 		<cfset noAccess(stText.setting.noAccess)>
 	</cfif>
 
 	<div class="pageintro">#stText.security.desc#</div>
-
 	<cfformClassic onerror="customError" action="#request.self#?action=#url.action#" method="post">
 		<table class="maintbl">
 			<tbody>
 
-				<!--- Web --->
+				<!--- Variable Usage in Queries --->
 				<tr>
 					<th scope="row">#stText.security.varUsage#</th>
 					<td>
@@ -106,7 +102,30 @@ Error Output --->
 						</cfif>
 						<div class="comment">#stText.security.varUsageDesc#</div>
 						<cfsavecontent variable="codeSample">
-							this.query.variableUsage="#security.varusage#";
+							this.security.variableUsage="#security.varusage#";
+						</cfsavecontent>
+						<cfset renderCodingTip( codeSample)>
+					</td>
+				</tr>
+				<cfscript>
+
+					stText.security.limitIsDefined="Limit function IsDefined";
+					stText.security.limitIsDefinedDesc="If enable you can use expression within of [] in variable name checked by the function Isdefined like this: susi[getVariableName()]";
+				
+				</cfscript>
+				<!--- limit function isDefined --->
+				<tr>
+					<th scope="row">#stText.security.limitIsDefined#</th>
+					<td>
+						<cfif hasAccess>
+							<input type="checkbox" class="checkbox" <cfif (security.limitIsDefined?:true)> checked="checked"</cfif> name="limitIsDefined" value="true" />
+						<cfelse>
+							<input type="hidden" name="limitIsDefined" value="#security.limitIsDefined?:true#">
+							<b>#yesNoFormat(security.limitIsDefined)#</b>
+						</cfif>
+						<div class="comment">#stText.security.limitIsDefinedDesc#</div>
+						<cfsavecontent variable="codeSample">
+							this.security.limitIsDefined=#security.limitIsDefined?:true#;
 						</cfsavecontent>
 						<cfset renderCodingTip( codeSample)>
 					</td>

core/src/main/java/lucee/runtime/PageContextImpl.java

@@ -3902,4 +3902,9 @@ private static synchronized int getIdCounter() {
 		if (_idCounter < 0) _idCounter = 1;
 		return _idCounter;
 	}
+
+	public boolean limitIsDefined() {
+		if (applicationContext != null) return applicationContext.getLimitIsDefined();
+		return ((ConfigPro) config).limitIsDefined();
+	}
 }

core/src/main/java/lucee/runtime/config/ConfigAdmin.java

@@ -3046,13 +3046,16 @@ public void updateCTPathCache(Boolean ctPathCache) throws SecurityException {
 		root.setEL("customTagUseCachePath", Caster.toString(ctPathCache, ""));
 	}
 
-	public void updateSecurity(String varUsage) throws SecurityException {
+	public void updateSecurity(String varUsage, Boolean limitIsDefined) throws SecurityException {
 		checkWriteAccess();
 		Struct el = _getRootElement("security");
 
 		if (el != null) {
 			if (!StringUtil.isEmpty(varUsage)) el.setEL("variableUsage", Caster.toString(varUsage));
 			else rem(el, "variableUsage");
+
+			if (limitIsDefined != null) el.setEL("limitIsDefined", limitIsDefined);
+			else rem(el, "limitIsDefined");
 		}
 
 	}

core/src/main/java/lucee/runtime/config/ConfigImpl.java

@@ -210,6 +210,8 @@ public abstract class ConfigImpl extends ConfigBase implements ConfigPro {
 
 	private short type = SCOPE_STANDARD;
 	private boolean _allowImplicidQueryCall = true;
+	private boolean _limitIsDefined = false;
+
 	private boolean _mergeFormAndURL = false;
 
 	private Map<String, LoggerAndSourceData> loggers = new HashMap<String, LoggerAndSourceData>();
@@ -555,6 +557,11 @@ public boolean allowImplicidQueryCall() {
 		return _allowImplicidQueryCall;
 	}
 
+	@Override
+	public boolean limitIsDefined() {
+		return _limitIsDefined;
+	}
+
 	@Override
 	public boolean mergeFormAndURL() {
 		return _mergeFormAndURL;
@@ -1228,6 +1235,10 @@ protected void setAllowImplicidQueryCall(boolean _allowImplicidQueryCall) {
 		this._allowImplicidQueryCall = _allowImplicidQueryCall;
 	}
 
+	protected void setLimitIsDefined(boolean _limitIsDefined) {
+		this._limitIsDefined = _limitIsDefined;
+	}
+
 	/**
 	 * sets if url and form scope will be merged
 	 * 

core/src/main/java/lucee/runtime/config/ConfigPro.java

@@ -357,4 +357,6 @@ public interface ConfigPro extends Config {
 	public boolean getPreciseMath();
 
 	public void setLastModified();
+
+	public boolean limitIsDefined();
 }

core/src/main/java/lucee/runtime/config/ConfigWebFactory.java

@@ -4047,6 +4047,25 @@ private static void _loadScope(ConfigServerImpl configServer, ConfigImpl config,
 				else if (hasCS) config.setAllowImplicidQueryCall(configServer.allowImplicidQueryCall());
 			}
 
+			// limit isdefined
+			if (mode == ConfigPro.MODE_STRICT) {
+				config.setLimitIsDefined(true);
+			}
+			else {
+				Boolean limitIsDefined = Caster.toBoolean(SystemUtil.getSystemPropOrEnvVar("lucee.isdefined.limit", null), null);
+				if (limitIsDefined == null) limitIsDefined = Caster.toBoolean(SystemUtil.getSystemPropOrEnvVar("lucee.security.isdefined", null), null);
+				if (limitIsDefined == null) {
+					Struct security = ConfigWebUtil.getAsStruct("security", root);
+					if (security != null) {
+						limitIsDefined = Caster.toBoolean(getAttr(security, "limitIsDefined"), null);
+					}
+				}
+				if (hasAccess && limitIsDefined != null) {
+					config.setLimitIsDefined(limitIsDefined.booleanValue());
+				}
+				else if (hasCS) config.setLimitIsDefined(configServer.limitIsDefined());
+			}
+
 			// Merge url and Form
 			String strMergeFormAndURL = getAttr(root, "mergeUrlForm");
 			if (hasAccess && !StringUtil.isEmpty(strMergeFormAndURL)) {

core/src/main/java/lucee/runtime/config/ConfigWebImpl.java

@@ -613,6 +613,11 @@ public boolean allowImplicidQueryCall() {
 		return instance.allowImplicidQueryCall();
 	}
 
+	@Override
+	public boolean limitIsDefined() {
+		return instance.limitIsDefined();
+	}
+
 	@Override
 	public lucee.runtime.customtag.InitFile getCTInitFile(lucee.runtime.PageContext arg0, java.lang.String arg1) {
 		return instance.getCTInitFile(arg0, arg1);

core/src/main/java/lucee/runtime/config/SingleContextConfigWeb.java

@@ -186,6 +186,11 @@ public boolean allowImplicidQueryCall() {
 		return cs.allowImplicidQueryCall();
 	}
 
+	@Override
+	public boolean limitIsDefined() {
+		return cs.limitIsDefined();
+	}
+
 	@Override
 	public boolean mergeFormAndURL() {
 		return cs.mergeFormAndURL();

core/src/main/java/lucee/runtime/functions/decision/IsDefined.java

@@ -25,6 +25,7 @@
 import lucee.runtime.PageContext;
 import lucee.runtime.config.NullSupportHelper;
 import lucee.runtime.ext.function.Function;
+import lucee.runtime.interpreter.SecurityInterpreterException;
 import lucee.runtime.interpreter.VariableInterpreter;
 import lucee.runtime.type.Collection;
 import lucee.runtime.type.KeyImpl;
@@ -36,7 +37,7 @@ public final class IsDefined implements Function {
 
 	private static final long serialVersionUID = -6477602189364145523L;
 
-	public static boolean call(PageContext pc, String varName) {
+	public static boolean call(PageContext pc, String varName) throws SecurityInterpreterException {
 		return VariableInterpreter.isDefined(pc, varName);
 		// return pc.isDefined(varName);
 	}

core/src/main/java/lucee/runtime/functions/other/ParameterExists.java

@@ -24,9 +24,10 @@
 import lucee.runtime.PageContext;
 import lucee.runtime.ext.function.Function;
 import lucee.runtime.functions.decision.IsDefined;
+import lucee.runtime.interpreter.SecurityInterpreterException;
 
 public final class ParameterExists implements Function {
-	public static boolean call(PageContext pc, String string) {
+	public static boolean call(PageContext pc, String string) throws SecurityInterpreterException {
 		return IsDefined.call(pc, string);
 	}
 }

core/src/main/java/lucee/runtime/functions/system/Empty.java

@@ -22,14 +22,15 @@
 import lucee.runtime.exp.FunctionException;
 import lucee.runtime.ext.function.Function;
 import lucee.runtime.functions.string.Len;
+import lucee.runtime.interpreter.SecurityInterpreterException;
 import lucee.runtime.interpreter.VariableInterpreter;
 import lucee.runtime.op.Caster;
 
 public class Empty implements Function {
 
 	private static final long serialVersionUID = 3780957672985941192L;
 
-	public static boolean call(PageContext pc, String variableName) throws FunctionException {
+	public static boolean call(PageContext pc, String variableName) throws FunctionException, SecurityInterpreterException {
 		Object res = VariableInterpreter.getVariableEL(pc, variableName, null);
 
 		if (res == null) return true;

core/src/main/java/lucee/runtime/interpreter/InterpreterException.java

@@ -23,14 +23,16 @@
 /**
  * 
  */
-public final class InterpreterException extends ExpressionException {
+public class InterpreterException extends ExpressionException {
 
 	/*
 	 * * constructor of the Exception
 	 * 
 	 * @param e / public InterpreterException(Throwable e) { super(e); }
 	 */
 
+	private static final long serialVersionUID = -6605986458201087440L;
+
 	/**
 	 * constructor of the Exception
 	 * 

core/src/main/java/lucee/runtime/interpreter/SecurityInterpreterException.java

@@ -0,0 +1,14 @@
+package lucee.runtime.interpreter;
+
+public class SecurityInterpreterException extends InterpreterException {
+	private static final long serialVersionUID = -31253141390505300L;
+
+	public SecurityInterpreterException(String message) {
+		super(message);
+	}
+
+	public SecurityInterpreterException(String message, String detail) {
+		super(message, detail);
+	}
+
+}