CF8.0.1: cflayout broken after applying security hotfix APSB11-04

Question

After applying hotfix APSB11-04, even this simple script fails:

blah blah blah

</cflayoutarea>

</cflayout>

The error in exception.log is:

org.owasp.esapi.errors.ValidationException: CFContainerID: Invalid input.
Please conform to: CFContainerID with a maximum length of 100

at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:140)

at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:166)

at coldfusion.security.ESAPIUtils.getValidateInput(ESAPIUtils.java:377)

at coldfusion.tagext.html.ajax.HtmlAssembler.setContainerId(HtmlAssembler.java:543)

at coldfusion.tagext.html.ajax.LayoutAreaTag.doStartTag(LayoutAreaTag.java:492)

Is it just me? (We have sandbox security enabled.)

BG650 · Answer

A few more details:The problem does indeed seem to be specific to sandbox security.If I disable sandbox security, the error goes away.The errors are being logged in "esapi.log" which I have never seen before.I'm fairly certain that these files from the update are involved: lib/ESAPI-1.4.4.jar lib/ESAPI.propertiesThe latter file is a text file, so I wonder if it can be tweaked to avoid the error?

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded