Is the CFDUMP tag modifiable?

Question

With ColdFusion MX7 if we encounter an exception we send an email to the development team containing dumps of the various data scopes including the form structure.

This works great for debugging except in the case of an error when the user logs in. We end up getting the password printed out.

So, the question is, is there a way to modify the CFDUMP file so that it filters the password value out of the form object?

Naturally we could put it in the same code that sends the email, however it would be ideal to put it in the CFDUMP file so that we do not have to worry about it showing up in other spots.

I have located the CFDUMP file and it seems to be binary, so I'm guessing we can't do it.

Answer 1

No, I don't think there is a way to modify <cfdump>'s behavior. I can't be sure, obviously. It's thinkable that such a hack exists, though it's not necessarily recommendable.

Why not go with a simple:

<cftry>
  <cfset DoSomethingThatFails()>

  <cfcatch>
    <cfif StructKeyExists(FORM, "Password")>
      <cfset FORM.Password = "***">
    </cfif>
    <cfdump var="#FORM#">
  </cfcatch>
</cftry>

Answer 2

Hi Tom,

Is it only the password that is a problem of showing? If so, perhaps the solution is to salt/hash the password? That I think is good practice anyway.

http://blog.mxunit.org/2009/06/look-ma-no-password-secure-hashing-in.html

Answer 3

You can copy the dump.cfm file to dumporiginal.cfm, and then make a new dump.cfm that calls dumporiginal.cfm.

<!--- 
  So that it won't execute twice if you 
  have a closing slash (<cfdump ... />) 
---> 
<cfif thisTag.executionMode neq "start">
  <cfexit method="exitTag" />
</cfif>


<!--- 
  defaults for optional attributes, taken from the docs 
  http://livedocs.adobe.com/coldfusion/8/htmldocs/Tags_d-e_08.html
--->
<cfparam name="attributes.expand" default="yes" />
<cfparam name="attributes.format" default="html" />     
<cfparam name="attributes.hide" default="all" />     
<cfparam name="attributes.keys" default="9999" />     
<cfparam name="attributes.label" default="" />      
<cfparam name="attributes.metainfo" default="yes" />     
<cfparam name="attributes.output" default="browser" />     
<cfparam name="attributes.show" default="all" />     
<cfparam name="attributes.showUDFs" default="yes" />     
<cfparam name="attributes.top" default="9999" />     

<!--- Hide the password, but store its value to put it back at the end --->
<cfif isStruct(attributes.var) and structKeyExists(attributes.var, 'password')>
  <cfset originalPassword = attributes.var.password />
  <cfset attributes.var.password = "{hidden by customized cfdump}"/>
</cfif>   

<!--- 
   Call the original cfdump. 
   Which attributes you pass depends on CF version. 
--->              
<cfswitch expression="#listFirst(server.coldfusion.productVersion)#">
<cfcase value="6">
  <cfdumporiginal 
      var = "#attributes.var#"
      expand = "#attributes.expand#" 
      hide = "#attributes.hide#"
      label = "#attributes.label#"
      >
</cfcase>
<cfcase value="7">
  <cfdumporiginal 
      var = "#attributes.var#"
      expand = "#attributes.expand#" 
      hide = "#attributes.hide#"
      label = "#attributes.label#"
      top = "#attributes.top#"
      >
</cfcase>  
<cfdefaultcase>     
  <cfdumporiginal 
      var = "#attributes.var#"
      expand = "#attributes.expand#" 
      format = "#attributes.format#"
      hide = "#attributes.hide#"
      keys = "#attributes.keys#"
      label = "#attributes.label#"
      metainfo = "#attributes.metainfo#"
      output = "#attributes.output#"
      show = "#attributes.show#"
      showUDFs = "#attributes.showUDFs#"
      top = "#attributes.top#"
      >
</cfdefaultcase>
</cfswitch>

<!--- Restore the password, in case it's read after cfdump call ---> 
<cfif isDefined("originalPassword")>
  <cfset attributes.var.password = originalPassword />
</cfif>

Answer 4

CFDUMP began life as a custom tag (CF_DUMP) way back in the CF5 days. You could always get the code for that custom tag and modify it to your needs and use that instead of the built-in tag.