According to the CF documentation, the ExpandPath() function is unreliable when it comes to extending a relative path. The function returns the first path which matches the provided relative path.
In a Shared Hosting environment, this may lead to the situation that the absolute path returned does not belong to your web space/sandbox. Since further access to the retrieved path is denied, the coapi CFC will throw an exception which will be masked by an HTTP 500 server error.
If the ExpandPath() function will not be able to resolve the relative path, it throws an exception (which, again, will be masked with an HTTP 500 server error).
Thus, I think that each ExpandPath() function call should be equipped with cftry/cfcatch tags. I did this in the coapiadmin.cfc file for the methods getWebskinPath() and initializeIncludes(), see teh example below:
<cfelseif structKeyExists(application, "plugins") and listLen(application.plugins)>
<cfloop list="#application.plugins#" index="plugin">
<!--- 2017.10.13/proc -- function ExpandPath() throws an error if the relative
or absolute path do not exist --->
<cftry>
<cfif fileExists(ExpandPath("/farcry/plugins/#plugin#/webskin/#arguments.typename#/#arguments.template#.cfm"))>
<cfset webskinPath = "/farcry/plugins/#plugin#/webskin/#arguments.typename#/#arguments.template#.cfm" />
</cfif>
<!--- catch any errors here --->
<cfcatch type="any">
<!--- nothing to do: continue with script processing --->
</cfcatch>
</cftry>
</cfloop>
</cfif>
The same applies to the method getDBTypes() in the lib/db.cfc file for both setting the local variable locations and the application.plugins loop.
And since the tags/farcry/_InitApplication.cfm script hasn’t been cleaned up yet, it surely won’t hurt to catch any exceptions in the — albeit depreciated — Apps.cfm processing (around line 260).
The overall question, however, remains as what shall be done in case of an exception: Do we want the results to be written to any logs (and if so, which ones)? Or do we prefer to send an email to the administrator, providing him with the cfcatch information? In any case, the solution needs to work also on remote production systems.