As we already know that the URL and FORM scope variables can be modified using external proxy tools.
For example if someone makes a request like this - http:\\website\index.cfm?a=1&b=2
This way one can add values to URL scope of a .cfm page.
Similarly is there any way to add/alter value to request scope in ColdFusion without it being set in code explicitly.
I am asking this because we have a code like this in one of CFM page.
<cfset request.uploadFileDir = application.fileDir & "\upload" />
<cffile action="upload" accept="application/pdf" destination="#REQUEST.uploadFileDir#" filefield="brochure" nameconflict="makeunique"/>
The security team is saying that the above code is vulnerable because REQUEST scope in JAVA can be tampered/altered by external proxy tools. And since ColdFusion is build on JAVA, ColdFusion's REQUESTcan also be tampered by external proxy tools. Is this a right assumption? Is JAVA and ColdFusion REQUEST scope same?
And finally the main question - Is there any way an external request to the page mentioned above in the example, modify the REQUEST scope or to be more precise REQUEST.uploadFileDir variable?
Transferred from comments with the blessing of the OP.
My opinion is that request scope variables can only be defined and assigned values in the programming code. That means they can't be altered directly. However, if you are assigning a value from the form or url scope, then they can be indirectly altered. In your case, look at how REQUEST.uploadFileDir receives it's value.
More info.
The request scope is available to any programming file used in the page request, such as the actual page, included files, and custom tags, here is an example that can be altered.
request.foo = url.foo;
Here is an example that can't.
if (this is a development ColdFusion enviornment)
request.dsn = "development database";
else
request.dsn = "production database";
There is a time and place for everything. Most of my work does not use the request scope. One application does.