From c97afaa65b4ac0dae1dafd363ef41dd6ea873ba0 Mon Sep 17 00:00:00 2001
From: MrFelna <MrFelna@users.noreply.github.com>
Date: Wed, 20 Jan 2016 21:07:51 +0000
Subject: [PATCH] patch container debug lookup

Change debug lookup in URL to lookup in request.mode
This is more consistent as it can be set from the session and it is also checked against against the currently logged in user. A blind URL lookup overrides security settings and potential information from the cfdump can assist attackers
---
 packages/rules/container.cfc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/rules/container.cfc b/packages/rules/container.cfc
index 70c5495b8..9c65cdec0 100644
--- a/packages/rules/container.cfc
+++ b/packages/rules/container.cfc
@@ -562,7 +562,7 @@ $Developer: Geoff Bowers (modius@daemon.com.au) $
 					<!--- <cfset oError.logData(oError.normalizeError(cfcatch)) /> --->
 					
 					<!--- show error if debugging --->
-					<cfif isdefined("url.debug") and url.debug EQ 1>
+					<cfif isdefined("request.mode.debug") and request.mode.debug EQ 1>
 						<cfset request.cfdumpinited = false>
 						
 						<skin:bubble title="Error with rule '#application.stcoapi[rule].displayName#'" bAutoHide="false" tags="rule,error">
@@ -669,4 +669,4 @@ $Developer: Geoff Bowers (modius@daemon.com.au) $
 	</cffunction>
 
 	
-</cfcomponent>
\ No newline at end of file
+</cfcomponent>