From 7a7798e46854ec399ff37bbb490d0520ce15cea2 Mon Sep 17 00:00:00 2001
From: michaeloffner <michaeloffner@users.noreply.github.com>
Date: Fri, 13 Sep 2024 18:59:46 +0200
Subject: [PATCH 1/4] LDEV-4940 - escape all messages shown in response body

---
 .../java/lucee/runtime/ComponentPageImpl.java | 21 +++++++------------
 .../java/lucee/runtime/PageContextImpl.java   |  4 ++--
 .../runtime/rest/RestRequestListener.java     |  5 ++---
 .../java/lucee/runtime/rest/RestUtil.java     |  8 ++++---
 loader/build.xml                              |  2 +-
 loader/pom.xml                                |  2 +-
 6 files changed, 19 insertions(+), 23 deletions(-)

diff --git a/core/src/main/java/lucee/runtime/ComponentPageImpl.java b/core/src/main/java/lucee/runtime/ComponentPageImpl.java
index fdcf16beea..3719302297 100755
--- a/core/src/main/java/lucee/runtime/ComponentPageImpl.java
+++ b/core/src/main/java/lucee/runtime/ComponentPageImpl.java
@@ -37,7 +37,6 @@
 import lucee.commons.io.res.util.ResourceUtil;
 import lucee.commons.lang.CFTypes;
 import lucee.commons.lang.ExceptionUtil;
-import lucee.commons.lang.HTMLEntities;
 import lucee.commons.lang.StringUtil;
 import lucee.commons.lang.mimetype.MimeType;
 import lucee.commons.net.HTTPUtil;
@@ -88,8 +87,6 @@
 import lucee.runtime.type.util.UDFUtil;
 import lucee.runtime.util.PageContextUtil;
 
-
-
 /**
  * A Page that can produce Components
  */
@@ -395,7 +392,7 @@ private void callRest(PageContext pc, Component component, String path, Result r
 						catch (NumberFormatException ne) {
 							status = 500;
 						}
-						RestUtil.setStatus(pc, status, cte.getMessage());
+						RestUtil.setStatus(pc, status, cte.getMessage(), true);
 						return;
 					}
 					else {
@@ -423,7 +420,7 @@ private void callRest(PageContext pc, Component component, String path, Result r
 			else {
 				msg = prefix;
 			}
-			RestUtil.setStatus(pc, 404, HTMLEntities.escapeHTML(msg));
+			RestUtil.setStatus(pc, 404, msg, true);
 			ThreadLocalPageContext.getLog(pc, "rest").info("REST", prefix + " in" + addDetail);
 		}
 		else if (status == 405) {
@@ -434,7 +431,7 @@ else if (status == 405) {
 			else {
 				msg = prefix;
 			}
-			RestUtil.setStatus(pc, 405, HTMLEntities.escapeHTML(msg));
+			RestUtil.setStatus(pc, 405, msg, true);
 			ThreadLocalPageContext.getLog(pc, "rest").info("REST", prefix + " for" + addDetail);
 		}
 		else if (status == 406) {
@@ -445,7 +442,7 @@ else if (status == 406) {
 			else {
 				msg = prefix;
 			}
-			RestUtil.setStatus(pc, 406, HTMLEntities.escapeHTML(msg));
+			RestUtil.setStatus(pc, 406, msg, true);
 			ThreadLocalPageContext.getLog(pc, "rest").info("REST", prefix + " for" + addDetail);
 		}
 
@@ -470,7 +467,7 @@ private void _callThroughSubresourceLocator(PageContext pc, Component component,
 			callRest(pc, subcomp, path, result, suppressContent);
 		}
 		else {
-			RestUtil.setStatus(pc, 500, "Subresource locator error.");
+			RestUtil.setStatus(pc, 500, "Subresource locator error.", false);
 		}
 	}
 
@@ -554,11 +551,9 @@ else if (!"body".equalsIgnoreCase(restArgSource)) {
 			if (PageContextUtil.show(pc)) {
 				throw e;
 			}
-			else {
-				ThreadLocalPageContext.getLog(pc, "rest").error("REST", e);
-				RestUtil.setStatus(pc, 500, ExceptionUtil.getMessage(e, true));
-				return null;
-			}
+			ThreadLocalPageContext.getLog(pc, "rest").error("REST", e);
+			RestUtil.setStatus(pc, 500, ExceptionUtil.getMessage(e, true), true);
+			return null;
 		}
 		finally {
 			if (suppressContent) pc.unsetSilent();
diff --git a/core/src/main/java/lucee/runtime/PageContextImpl.java b/core/src/main/java/lucee/runtime/PageContextImpl.java
index 71c164fbba..ba86a9dd96 100644
--- a/core/src/main/java/lucee/runtime/PageContextImpl.java
+++ b/core/src/main/java/lucee/runtime/PageContextImpl.java
@@ -2531,7 +2531,7 @@ public void executeRest(String realPath, boolean throwExcpetion) throws PageExce
 						throw Caster.toPageException(e);
 					}
 				}
-				else RestUtil.setStatus(this, 404, null);
+				else RestUtil.setStatus(this, 404, null, false);
 				return;
 			}
 
@@ -2637,7 +2637,7 @@ else if (StringUtil.endsWithIgnoreCase(pathInfo, ".java")) {
 			// base = PageSourceImpl.best(config.getPageSources(this,null,realPath,true,false,true));
 
 			if (mapping == null || mapping.getPhysical() == null) {
-				RestUtil.setStatus(this, 404, "no rest service for [" + HTMLEntities.escapeHTML(pathInfo) + "] found");
+				RestUtil.setStatus(this, 404, "no rest service for [" + HTMLEntities.escapeHTML(pathInfo) + "] found", false);
 				getLog("rest").error("REST", "no rest service for [" + pathInfo + "] found");
 			}
 			else {
diff --git a/core/src/main/java/lucee/runtime/rest/RestRequestListener.java b/core/src/main/java/lucee/runtime/rest/RestRequestListener.java
index d6e2f703ea..79ff429d87 100644
--- a/core/src/main/java/lucee/runtime/rest/RestRequestListener.java
+++ b/core/src/main/java/lucee/runtime/rest/RestRequestListener.java
@@ -22,7 +22,6 @@
 
 import javax.servlet.http.HttpServletRequest;
 
-import lucee.commons.lang.HTMLEntities;
 import lucee.commons.lang.mimetype.MimeType;
 import lucee.runtime.PageContext;
 import lucee.runtime.PageSource;
@@ -76,11 +75,11 @@ public PageSource execute(PageContext pc, PageSource requestedPage) throws PageE
 					+ ListUtil.listToListEL(sources, ", ") + "]";
 
 			if (PageContextUtil.show(pc)) {
-				RestUtil.setStatus(pc, 404, HTMLEntities.escapeHTML(msg + addDetail));
+				RestUtil.setStatus(pc, 404, msg + addDetail, true);
 
 			}
 			else {
-				RestUtil.setStatus(pc, 404, HTMLEntities.escapeHTML(msg));
+				RestUtil.setStatus(pc, 404, msg, true);
 
 			}
 			ThreadLocalPageContext.getLog(pc, "rest").info("REST", msg + addDetail);
diff --git a/core/src/main/java/lucee/runtime/rest/RestUtil.java b/core/src/main/java/lucee/runtime/rest/RestUtil.java
index eab18dc257..e4f0a24fe0 100644
--- a/core/src/main/java/lucee/runtime/rest/RestUtil.java
+++ b/core/src/main/java/lucee/runtime/rest/RestUtil.java
@@ -24,6 +24,8 @@
 
 import lucee.commons.io.res.Resource;
 import lucee.commons.io.res.util.ResourceUtil;
+import lucee.commons.lang.HTMLEntities;
+import lucee.commons.lang.StringUtil;
 import lucee.runtime.PageContext;
 import lucee.runtime.rest.path.Path;
 import lucee.runtime.type.Struct;
@@ -60,11 +62,11 @@ public static int matchPath(Struct variables, Path[] restPath, String[] callerPa
 	 * @param status
 	 * @param msg
 	 */
-	public static void setStatus(PageContext pc, int status, String msg) {
+	public static void setStatus(PageContext pc, int status, String msg, boolean htmlEscapeMessage) {
 		pc.clear();
-		if (msg != null) {
+		if (!StringUtil.isEmpty(msg)) {
 			try {
-				pc.forceWrite(msg);
+				pc.forceWrite(htmlEscapeMessage ? HTMLEntities.escapeHTML(msg) : msg);
 			}
 			catch (IOException e) {
 			}
diff --git a/loader/build.xml b/loader/build.xml
index 2d6ca645c5..f2b1d27da4 100644
--- a/loader/build.xml
+++ b/loader/build.xml
@@ -2,7 +2,7 @@
 <project default="core" basedir="." name="Lucee" 
   xmlns:resolver="antlib:org.apache.maven.resolver.ant">
 
-  <property name="version" value="6.1.1.87-SNAPSHOT"/>
+  <property name="version" value="6.1.1.88-SNAPSHOT"/>
 
   <taskdef uri="antlib:org.apache.maven.resolver.ant" resource="org/apache/maven/resolver/ant/antlib.xml">
     <classpath>
diff --git a/loader/pom.xml b/loader/pom.xml
index 5949630d9f..0981c126e8 100644
--- a/loader/pom.xml
+++ b/loader/pom.xml
@@ -3,7 +3,7 @@
 
   <groupId>org.lucee</groupId>
   <artifactId>lucee</artifactId>
-  <version>6.1.1.87-SNAPSHOT</version>
+  <version>6.1.1.88-SNAPSHOT</version>
   <packaging>jar</packaging>
 
   <name>Lucee Loader Build</name>

From 7a3960cba6800396e1f79ed5bab82b27c48a6202 Mon Sep 17 00:00:00 2001
From: michaeloffner <michaeloffner@users.noreply.github.com>
Date: Mon, 16 Sep 2024 11:54:33 +0200
Subject: [PATCH 2/4] release candidate

---
 loader/build.xml | 2 +-
 loader/pom.xml   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/loader/build.xml b/loader/build.xml
index f2b1d27da4..1f6481412f 100644
--- a/loader/build.xml
+++ b/loader/build.xml
@@ -2,7 +2,7 @@
 <project default="core" basedir="." name="Lucee" 
   xmlns:resolver="antlib:org.apache.maven.resolver.ant">
 
-  <property name="version" value="6.1.1.88-SNAPSHOT"/>
+  <property name="version" value="6.1.1.88-RC"/>
 
   <taskdef uri="antlib:org.apache.maven.resolver.ant" resource="org/apache/maven/resolver/ant/antlib.xml">
     <classpath>
diff --git a/loader/pom.xml b/loader/pom.xml
index 0981c126e8..8271751bb9 100644
--- a/loader/pom.xml
+++ b/loader/pom.xml
@@ -3,7 +3,7 @@
 
   <groupId>org.lucee</groupId>
   <artifactId>lucee</artifactId>
-  <version>6.1.1.88-SNAPSHOT</version>
+  <version>6.1.1.88-RC</version>
   <packaging>jar</packaging>
 
   <name>Lucee Loader Build</name>

From a8ba161eba4b64cd517ddda54f49ed6897967a17 Mon Sep 17 00:00:00 2001
From: Zac Spitzer <zac.spitzer@gmail.com>
Date: Tue, 17 Sep 2024 15:44:48 +0200
Subject: [PATCH 3/4] LDEV-5092 testcase

https://luceeserver.atlassian.net/browse/LDEV-5092
---
 test/tickets/LDEV5092.cfc | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 test/tickets/LDEV5092.cfc

diff --git a/test/tickets/LDEV5092.cfc b/test/tickets/LDEV5092.cfc
new file mode 100644
index 0000000000..0f8364b8ac
--- /dev/null
+++ b/test/tickets/LDEV5092.cfc
@@ -0,0 +1,25 @@
+component extends="org.lucee.cfml.test.LuceeTestCase" skip=true {
+
+	function run( testResults , testBox ) {
+		describe( title='LDEV-5092', body=function(){
+			it( title='trigger java.util.ConcurrentModificationException', body=function() {
+				var a = [];
+				ArraySet(a,1,1000,"");
+				ArrayEach(a, testJava, true);
+			});
+		});
+	}
+
+	private function testJava(){
+		var oRegExMatcher = createObject("java", "java.util.regex.Matcher");
+		var re = oRegExMatcher.quoteReplacement( "(?i)<!-- $$blah$$ -->" ); // NPE
+		var re2 = oRegExMatcher.quoteReplacement( javacast("string", "1") );
+		var sReturn = "string";
+		sReturn.replaceAll(
+			oRegExMatcher.quoteReplacement( "(?i)<!-- $$blah$$ -->" ),
+			oRegExMatcher.quoteReplacement( javacast("string", "1") )
+		);
+		sReturn.replaceAll( re, re2 );
+		return sReturn;
+	}
+}
\ No newline at end of file

From a7e14ddd1fbcb59fa511e7ac77679f5ede4d8124 Mon Sep 17 00:00:00 2001
From: michaeloffner <michaeloffner@users.noreply.github.com>
Date: Wed, 18 Sep 2024 15:52:44 +0200
Subject: [PATCH 4/4] add support for addional name for cfconfig

---
 .../lucee/runtime/config/ConfigFactory.java   |  2 +-
 .../runtime/config/ConfigServerFactory.java   | 37 +++++++++++--------
 .../runtime/config/ConfigWebFactory.java      |  2 +-
 .../functions/system/ConfigImport.java        |  2 +-
 .../functions/system/ConfigTranslate.java     |  4 +-
 loader/build.xml                              |  2 +-
 loader/pom.xml                                |  2 +-
 7 files changed, 29 insertions(+), 22 deletions(-)

diff --git a/core/src/main/java/lucee/runtime/config/ConfigFactory.java b/core/src/main/java/lucee/runtime/config/ConfigFactory.java
index bb332ff0e8..f2217cef4c 100644
--- a/core/src/main/java/lucee/runtime/config/ConfigFactory.java
+++ b/core/src/main/java/lucee/runtime/config/ConfigFactory.java
@@ -90,7 +90,7 @@ public static UpdateInfo getNew(CFMLEngine engine, Resource contextDir, final bo
 
 		// if the config got deleted, we need to make sure the required extension get installed again
 		boolean deleted = false;
-		if (readOnly && !ConfigServerFactory.getConfigFile(contextDir).exists()) {
+		if (readOnly && !ConfigServerFactory.getConfigFile(contextDir, true).exists()) {
 			deleted = resOldVersion.delete();
 		}
 
diff --git a/core/src/main/java/lucee/runtime/config/ConfigServerFactory.java b/core/src/main/java/lucee/runtime/config/ConfigServerFactory.java
index cd2fe04563..cbf227846d 100644
--- a/core/src/main/java/lucee/runtime/config/ConfigServerFactory.java
+++ b/core/src/main/java/lucee/runtime/config/ConfigServerFactory.java
@@ -55,7 +55,7 @@
 
 public final class ConfigServerFactory extends ConfigFactory {
 
-	public static final String CONFIG_FILE_NAME = ".CFConfig.json";
+	public static final String[] CONFIG_FILE_NAMES = new String[] { ".CFConfig.json", "config.json" };
 
 	/**
 	 * creates a new ServletConfig Impl Object
@@ -110,7 +110,7 @@ public static ConfigServerImpl newInstance(CFMLEngineImpl engine, Map<String, CF
 			Resource configFileOld = configDir.getRealResource("lucee-server.xml");
 
 			// config file
-			Resource configFileNew = getConfigFile(configDir);
+			Resource configFileNew = getConfigFile(configDir, true);
 
 			boolean hasConfigOld = false;
 			boolean hasConfigNew = configFileNew.exists() && configFileNew.length() > 0;
@@ -175,24 +175,31 @@ public static ConfigServerImpl newInstance(CFMLEngineImpl engine, Map<String, CF
 		}
 	}
 
-	public static Resource getConfigFile(Resource configDir) throws IOException {
+	public static Resource getConfigFile(Resource configDir, boolean server) throws IOException {
+		if (server) {
+			// lucee.base.config
+			String customCFConfig = SystemUtil.getSystemPropOrEnvVar("lucee.base.config", null);
+			Resource configFile = null;
+			if (!StringUtil.isEmpty(customCFConfig, true)) {
 
-		// lucee.base.config
-		String customCFConfig = SystemUtil.getSystemPropOrEnvVar("lucee.base.config", null);
-		Resource configFile = null;
-		if (!StringUtil.isEmpty(customCFConfig, true)) {
+				configFile = ResourcesImpl.getFileResourceProvider().getResource(customCFConfig.trim());
 
-			configFile = ResourcesImpl.getFileResourceProvider().getResource(customCFConfig.trim());
-
-			if (configFile.isFile()) {
-				LogUtil.log(Log.LEVEL_INFO, "deploy", "config", "using config File : " + configFile);
-				return configFile;
+				if (configFile.isFile()) {
+					LogUtil.log(Log.LEVEL_INFO, "deploy", "config", "using config File : " + configFile);
+					return configFile;
+				}
+				throw new IOException(
+						"the config file [" + configFile + "] defined with the environment variable [LUCEE_BASE_CONFIG] or system property [-Dlucee.base.config] does not exist.");
 			}
-			throw new IOException(
-					"the config file [" + configFile + "] defined with the environment variable [LUCEE_BASE_CONFIG] or system property [-Dlucee.base.config] does not exist.");
 		}
+		Resource res;
+		for (String cf: CONFIG_FILE_NAMES) {
+			res = configDir.getRealResource(cf);
+			if (res.isFile()) return res;
+		}
+
 		// default location
-		return configDir.getRealResource(CONFIG_FILE_NAME);
+		return configDir.getRealResource(CONFIG_FILE_NAMES[0]);
 	}
 
 	/**
diff --git a/core/src/main/java/lucee/runtime/config/ConfigWebFactory.java b/core/src/main/java/lucee/runtime/config/ConfigWebFactory.java
index 366ddcf102..d59bef0034 100644
--- a/core/src/main/java/lucee/runtime/config/ConfigWebFactory.java
+++ b/core/src/main/java/lucee/runtime/config/ConfigWebFactory.java
@@ -251,7 +251,7 @@ public static ConfigWebPro newInstanceMulti(CFMLEngine engine, CFMLFactoryImpl f
 
 		boolean doNew = getNew(engine, configDir, false, UpdateInfo.NEW_NONE).updateType != NEW_NONE;
 		Resource configFileOld = configDir.getRealResource("lucee-web.xml." + TEMPLATE_EXTENSION);
-		Resource configFileNew = configDir.getRealResource(ConfigServerFactory.CONFIG_FILE_NAME);
+		Resource configFileNew = ConfigServerFactory.getConfigFile(configDir, false);
 		String strPath = servletConfig.getServletContext().getRealPath("/WEB-INF");
 		Resource path = ResourcesImpl.getFileResourceProvider().getResource(strPath);
 		boolean hasConfigOld = false;
diff --git a/core/src/main/java/lucee/runtime/functions/system/ConfigImport.java b/core/src/main/java/lucee/runtime/functions/system/ConfigImport.java
index a071720468..0b961ec3a7 100644
--- a/core/src/main/java/lucee/runtime/functions/system/ConfigImport.java
+++ b/core/src/main/java/lucee/runtime/functions/system/ConfigImport.java
@@ -32,7 +32,7 @@ public static Struct call(PageContext pc, Object pathOrData, String type, String
 		if (pathOrData instanceof CharSequence) res = ResourceUtil.toResourceExisting(pc, pathOrData.toString());
 		else if (pathOrData instanceof Map) data = Caster.toStruct(pathOrData);
 		else throw new FunctionException(pc, "ConfigFileImport", "first", "pathOrData",
-				"Invalid value for argument pathOrData, the argument must contain a string that points to a " + ConfigServerFactory.CONFIG_FILE_NAME
+				"Invalid value for argument pathOrData, the argument must contain a string that points to a " + ConfigServerFactory.CONFIG_FILE_NAMES[0]
 						+ " file or a struct containing the data itself.",
 				null);
 
diff --git a/core/src/main/java/lucee/runtime/functions/system/ConfigTranslate.java b/core/src/main/java/lucee/runtime/functions/system/ConfigTranslate.java
index fce761a841..ca53c9b392 100644
--- a/core/src/main/java/lucee/runtime/functions/system/ConfigTranslate.java
+++ b/core/src/main/java/lucee/runtime/functions/system/ConfigTranslate.java
@@ -55,10 +55,10 @@ else if ("server".equalsIgnoreCase(source.trim())) {
 			if (!StringUtil.isEmpty(target, true)) {
 				if ("web".equalsIgnoreCase(target.trim())) {
 					Resource dir = ((ConfigWebPro) config).getWebConfigDir();
-					trg = dir.getRealResource(ConfigServerFactory.CONFIG_FILE_NAME);
+					trg = ConfigServerFactory.getConfigFile(dir, false);
 				}
 				else if ("server".equalsIgnoreCase(target.trim())) {
-					trg = ConfigServerFactory.getConfigFile(pc.getConfig().getConfigServerDir());
+					trg = ConfigServerFactory.getConfigFile(pc.getConfig().getConfigServerDir(), true);
 				}
 				if (trg == null) trg = Caster.toResource(pc, target, false);
 				if (!trg.getParentResource().isDirectory())
diff --git a/loader/build.xml b/loader/build.xml
index 1f6481412f..e8b2b4be4d 100644
--- a/loader/build.xml
+++ b/loader/build.xml
@@ -2,7 +2,7 @@
 <project default="core" basedir="." name="Lucee" 
   xmlns:resolver="antlib:org.apache.maven.resolver.ant">
 
-  <property name="version" value="6.1.1.88-RC"/>
+  <property name="version" value="6.1.1.89-SNAPSHOT"/>
 
   <taskdef uri="antlib:org.apache.maven.resolver.ant" resource="org/apache/maven/resolver/ant/antlib.xml">
     <classpath>
diff --git a/loader/pom.xml b/loader/pom.xml
index 8271751bb9..cd98dd8af3 100644
--- a/loader/pom.xml
+++ b/loader/pom.xml
@@ -3,7 +3,7 @@
 
   <groupId>org.lucee</groupId>
   <artifactId>lucee</artifactId>
-  <version>6.1.1.88-RC</version>
+  <version>6.1.1.89-SNAPSHOT</version>
   <packaging>jar</packaging>
 
   <name>Lucee Loader Build</name>