Don’t Forget to Scope CFHTTP

I ran into a nasty MXNA 2.0 bug last week. As many of you noticed, we had a case
where one person’s posts were attributed to someone else. I was stumped for about
an hour as I went through lots of lines of code, and long spells of staring into
space and contemplating. Then it hit me that since this has only happened one time
in all the thousands of posts MXNA 2.0 has aggregated, it must be a concurrency

And it was. MXNA 2.0 uses cached instances of parser components, and in one of
those components was a CFHTTP tag that wasn’t scoped, or "VARed". Just
the right sequence of events caused the variable cfhttp.fileContent to be overwritten
with a string from someone else’s feed. It’s a one in a million shot, but it happened
once, and it would have happened again given enough time.

If you’re using CFHTTP in a component, and you’re using CF 7.0, your code should
look like this:

<cfset var foo = 0/>
<cfhttp result="foo".../>

If you’re using CF 6.x, it should look like this:

<cfset var cfhttp.fileContent = 0/>
<cfhttp .../>

Note: I owe Sean Corfield a big thanks for helping me track this down.

2 Responses to Don’t Forget to Scope CFHTTP

  1. Glad to have helped. This sort of thing can be so hard to track down (and so easy to miss when looking at code). Load testing can sometimes trap these errors as long as the load test has a way to verify the output of every operation (so a good test harness, like cfcUnit, run under load can help). BTW, I think the CFMX 6.1 version of the code can be just

  2. ben nadel says:

    Wait, why not just VAR CFHTTP instead of just the File Content? Wouldn’t this be even safer?