Skip to main content
S
sjibben
Inspiring
February 19, 2011
Question

APSB11-04 - classic.cfm debug problems

  • February 19, 2011
  • 1 reply
  • 1394 views

Hello,

I applied this hotfix to two CF 9.01 and one CF 8.01 servers.  They all have the same problem after the update.

http://www.adobe.com/support/security/bulletins/apsb11-04.html

The link to the hotfix is above.

I use the classic.cfm version for debug output.  It was updated with this hotfix and now it does not display properly.  It used to highlight in red any templates that took too much time to execute.  Now it displays the styling info around these numbers instead of applying the style:

<font color='red'><span class='template_overage'>4929</span></font> ms

If I view the source of the page and find the debugging output, this is what is there:

&lt;font color&#x3d;&#x27;red&#x27;&gt;&lt;span class&#x3d;&#x27;template_overage&#x27;&gt;4929&lt;&#x2f;span&gt;&lt;&#x2f;font&gt; ms

It should display something like this:

4929 ms

It seems like the HTMLEditFormat function is being used on the output before it is displayed.  I traced it to a new UDF that is being used to display these messages.  The encodeForError function in this file uses a java object named "coldfusion.security.ESAPIUtils" for creating the output.  So, I'm not sure what to try next.

{ColdFusion Home}/wwwroot/WEB-INF/exception/udf.cfm

{ColdFusion Home}/wwwroot/WEB-INF/debug/classic.cfm

Anyone else have this problem or a solution to it?

sj

    This topic has been closed for replies.

    1 reply

    A
    Adam Cameron.
    Inspiring
    February 20, 2011

    I've not experienced this problem, no.

    However, the most expedient way of fixing it is probably to... err... just fix it.  Those files are clear-text, so you can just edit them.  Or dig out the original template from another - unpatched - version of the template, do a diff on the two versions and see if there are any significant differences that should be applied, and just contrive a template that a) implements whatever the patch was supposed to do; b) doesn't break the output.

    --

    Adam

    S
    sjibbenAuthor
    Inspiring
    February 20, 2011

    Hi Adam,

    That's what I ended up doing.  I do not know what ESAPIUtils does, so I just modified the return string using my own function:

    <cfset esapiutils = createObject("java", "coldfusion.security.ESAPIUtils")>
    <cffunction name="encodeForError" output="false">
        <cfargument name="str" required="true">
        <cfset var str2 = "">
        <cfset var encodedStr = "" >
        <cftry>
                <cfset str2="#replace(str,"\","/","ALL")#">
                <cfset encodedStr=esapiutils.encodeForHTML(str2)>
            <cfcatch type="Any">
                <cfoutput>
                    <admin:l10n id="error_verify" var="verify_err">
                        #esapiutils.encodeForHTML(CFCATCH.Message)#
                        #esapiutils.encodeForHTML(CFCATCH.Detail)#
                    </admin:l10n>
                </cfoutput>
                <cfthrow message="#verify_err#">
            </cfcatch>
        </cftry>
        <cfreturn repairEncodeForError(encodedStr)>
    </cffunction>

    <!---added by Scott Jibben on 2011-02-19 to correct the display--->
    <cffunction name="repairEncodeForError" output="no">
        <cfargument name="str" type="string" required="yes" hint="output to clean">
        <cfreturn ReplaceList(arguments.str, "&lt;,&gt;,&##x3d;,&##x27;,&##x2f;", "<,>,=,',/")>
    </cffunction>

    A
    Adam Cameron.
    Inspiring
    February 21, 2011

    Looks like a reasonable solution to me.  Good work posting it back here in case someone else has the same problem.

    --

    Adam

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices