Debugging error output isn't restricted to the IPs specified to receive debugging output in certain cases.
This is an issue that has been around since at least ColdFusion 9, as far as I know.
Within CFAdmin, we have disabled the global error template (/CFIDE/administrator/templates/secure_profile_error.cfm) in order to enable error debug output for our debugging-enabled IPs. The problem is that the template that dumps out error information is loaded and processed regardless of whether or not the user's IP is in the debugging IP list. The "normal" way to get around this, as far as I know, is to specify an error template within your application. For example, we do something along the lines of:
<CFIF NOT isDevIP> <CFERROR TYPE="Exception" TEMPLATE="ErrorTemplate.cfm"> </CFIF>
However, this doesn't catch everything. Exceptions that occur prior to the <CFERROR> tag being processed will still result in all users seeing the debugging error output regardless of their IP address. This means you need to have the <CFERROR> tag near the beginning of each request (including AJAX requests) to minimize the potential for exceptions to be generated before the tag is processed.
The real trick, however, is that certain types of exceptions will be triggered before the <CFERROR> tag is processed regardless of where they are in the code. Consider the following:
<CFERROR TYPE="Exception" TEMPLATE="ErrorTemplate.cfm">
<CFIF
Blah blah blah
The unclosed <CFIF> tag is parsed before the <CFERROR> tag is processed, and all users will see the error. (Invalid CFML construct found at line ...). This can lead to code leakage as the error detail template includes code segments, line numbers, and stacktraces (if enabled in CFAdmin).
On the other hand, something like this behaves as expected:
<CFERROR TYPE="Exception" TEMPLATE="OnError.cfm">
<CFIF undefinedvariable></CFIF>
Blah blah blah
The OnError.cfm template is loaded instead of the debugging error output being output to the screen. You can combine this with a <CFIF> check against the user's IP being in the debugger IP list to achieve the desired result, but only for exceptions that are triggered after <CFERROR> is processed.
To work around this in the past, I edited the detail.cfm exception template at, for example, \ColdFusion9\wwwroot\WEB-INF\exception\detail.cfm , and made it fist read the neo-debug.xml file (where CFAdmin stored the debug IP list) and check the user's IP. If the user's IP was not in the iplist in neo-debug.xml, then I simply ran a <CFABORT> to prevent any leakage from occurring. This also worked for CF10.
<CFWDDX ACTION="WDDX2CFML" INPUT="#XMLPARSE('C:\Coldfusion9\lib\neo-debug.xml')#" OUTPUT="neodebugxmlwddx">
<CFIF NOT LISTFIND(neodebugxmlwddx[2].iplist, CGI.REMOTE_ADDR)><CFABORT></CFIF>
However, in CF2016, the detail.cfm template isn't the same. In fact, it's encoded entirely differently and I can't properly edit it. (ColdFusion Builder won't even open it.)
1) Is there a way to edit the detail.cfm or other exception templates for CF2016 to achieve what I want? By default, they're located at C:\ColdFusion2016\cfusion\wwwroot\WEB-INF\exception\ , I believe.
2) If not, is there another way to make them respect the debugging IP lists defined in CFAdmin?
3) If not, is there some other way to allow specific IPs to see debugging output (including for exceptions), but to restrict other IPs from ever seeing it? Using a global error template isn't an option unless there's a way to modify that template to call the regular template (using the same IP check as above) and properly pass all the error information to it.
Thanks