Skip to main content
G
gabrieldavis321
Inspiring
October 13, 2022
Answered

Coldfusion 2021 Update 5 breaks xml

  • October 13, 2022
  • 3 replies
  • 6838 views

I just applied update 5 and now I am getting XML errors:

"Error","ajp-nio-127.0.0.1-8020-exec-10","10/13/22","11:28:42","Medlists3","coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object;

https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-5.html says

CHANGE IN XML

If the XML path contains a forward slash or backslash, it will be blocked. The flag, coldfusion.xml.allowPathCharacters, must be set to true to allow the same.

But I don't know where to make this change.

    This topic has been closed for replies.
    Correct answer RaviShankar Chagnur

    Hello Gabriel,

     

    Please try this.
     Update ColdFusion 2021 with update 5

    1. Go to \ColdFusion2021\{instances}\wwwroot\WEB-INF\cfclasses and clear the classes. 
    2. Restart ColdFusion service and try again. 

     

    Please let me know if that resolves the issue. 

     

    3 replies

    M
    michaelg11604920
    Participating Frequently
    January 3, 2023

    clearing \ColdFusion2021\{instances}\wwwroot\WEB-INF\cfclasses worked for me. Thanks. Adobe updates are always an adventure, and not in a good way.. Didn't catch this until it was in production.

    Charlie Arehart
    Charlie Arehart
    Community Expert
    January 3, 2023

    Yes, Michael. And it doesn't help that the suggestion to clear the cfclasses is only in the cf2018 update 15 technote, which is quite unfortunate.

     

    And back to an earlier comment in this thread, there's also no clarification about which cfml xml features/functions are impacted by these changes, whether the need to do that class clearing or adding the jvm arg (discussed in both technotes). 

    /Charlie (troubleshooter, carehart. org)
    Brad Hogg_51
    Brad Hogg_51
    New Participant
    January 3, 2023

    Hello All,

     

    I can confirm, for CF2018 at least, that the jvm argument is only needed when using xmlTransform().  It is not needed if you are only using xmlSearch().  Clearing the classes was indeed necessary however.  We use a ton of XML, so I can say this quite confidently.

     

    Thanks,

    Brad

    J
    jhansen-cf
    Inspiring
    October 14, 2022

    I have the same issue. I tried the JVM argument. No affect. On my local dev box, my wwwroot\WEB-INF\cfclasses is empty (we keep this turned off on our dev/test machines). Please advise.  

     

    #xmlTransform( xml, getXsl() )# << this code causes the error below.

     

    An error occurred while Transforming an XML document.
    Unable to process the XML string as it could probably contain file paths.

     

    coldfusion.xml.XmlProcessException: An error occurred while Transforming an XML document.
	at coldfusion.xml.XmlProcessor.doTransform(XmlProcessor.java:712)
	at coldfusion.xml.XmlProcessor.access$100(XmlProcessor.java:95)
	at coldfusion.xml.XmlProcessor$2.run(XmlProcessor.java:660)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at coldfusion.xml.XmlProcessor.transform(XmlProcessor.java:656)
	at coldfusion.xml.XmlProcessor.transform(XmlProcessor.java:645)
	at coldfusion.runtime.CFPage.XmlTransform(CFPage.java:444) 

     

    Charlie Arehart
    Charlie Arehart
    Community Expert
    October 14, 2022

    Jhansen, the update technote does indicate the change that leads to this failure, so it's not unexpected. Not clear if you realize that. And the ultimate solution is to get that getxsl result (the xmlsearch criteria) to NOT have slashes, as that's deemed to be a security vulnerability. 

     

    But yes, as the technote shows, Adobe provided for backward compatibility/reduced security by way of that jvm arg.

     

    So when you say it doesn't work, we should all question whether you implemented it correctly. If you see my comment above to Gabriel, there are specific things to do and to check. If you may have more than one instance of cf2021 on that machine, do be sure you've put the change in the right place. If you do, that error should go away. If you make any mistake, it could remain. 

     

    Let's us know what you think. And if you may have taken offense at my reply here, please know that's not my intent. I'm just trying to help. I can't known who knows what. I just help people solve such problems literally every day, in the community and in my consulting. 

    /Charlie (troubleshooter, carehart. org)
    J
    jhansen-cf
    Inspiring
    October 14, 2022

    Oh Charlie, I'm not offened, we have worked togehter before. In fact, you where right, I did it wrong. I missed the space. The JVM arg DOES allow the code to work. The XML in question has lots of slashes/paths in it because it part of the menu system. It's going to take some work to fix this one.  <facepalm>

    Charlie Arehart
    Charlie Arehart
    Community Expert
    October 13, 2022

    Gabriel, to add any jvm argument to CF, you have two choices--and you do want to be careful about doing this. First, though, note that it needs to be added with a -D in front of it:

    • either go to the CF Admin (the admin for whatever instance of CF you have, if you may have more than one), then in its "java and jvm" page, there's a field called "java args". In that, which is one long line, you can add an argument: whether at the front, at the end, or in the middle. Just be sure to leave a space before the -Dcoldfusion.xml.allowPathCharacters=true
    • or you can instead (and I'd recommend) you edit the file that that page changes. Go to your CF folder, and cfusion/bin (or instancename/bin, if you run more than one instance). In that folder is a jvm.config file, and in that file is a java.args line, which has nearly all that you would see in the CF Admin page field of the same name. Again, in that line, add that arg as I discuss above. Then save that file (keeping it up) and restart CF, to see if it starts and shows that arg now in that CF Admin page, and then test if your page now works.

     

    Even if you may opt to do the change in the CF Admin, I would warn of this: if you make a mistake, CF may well accept your change, but then you may find on restarting CF that it can't start...and that you can't get to the CF Admin to correct things. It's for for that reason I recommend you edit the file instead. If you do (having left it open after saving it), and CF doesn't start, then you can undo what you added.

     

    Even safer would be to make a COPY of the jvm.config file first, again whether you edit in the Admin or by editing the file.

     

    Let us know how it goes. I will share also that I can help folks do these sort of things, in as little as 15 mins, via remote screenshare consulting. More at carehart.org/consulting.

    /Charlie (troubleshooter, carehart. org)
      RaviShankar Chagnur
      Adobe Employee
      RaviShankar ChagnurCorrect answer
      Adobe Employee
      October 13, 2022

      Hello Gabriel,

       

      Please try this.
       Update ColdFusion 2021 with update 5

      1. Go to \ColdFusion2021\{instances}\wwwroot\WEB-INF\cfclasses and clear the classes. 
      2. Restart ColdFusion service and try again. 

       

      Please let me know if that resolves the issue. 

       

        J
        jeffp80876634
        New Participant
        November 2, 2022

        Hello RaviShabkar,

         

        I have tried your advice as well as the jvm argument and neither works for me.  I can't even get to the CF Admin Package Manager page as it is throwing the XMLSearch error below.  I have also pasted in my java.args below.

        Does anyone have any other ideas?

        java.args=-server -Xms256m -Xmx1024m --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/sun.util.cldr=ALL-UNNAMED --add-opens=java.base/sun.util.locale.provider=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED -XX:+UseParallelGC -Djdk.attach.allowAttachSelf=true -Dcoldfusion.home={application.home} -Duser.language=en -Dcoldfusion.rootDir={application.home} -Dcoldfusion.xml.allowPathCharacters=true -Dcoldfusion.libPath={application.home}/lib -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcoldfusion.jsafe.defaultalgo=FIPS186Random -Dorg.eclipse.jetty.util.log.class=org.eclipse.jetty.util.log.JavaUtilLog -Djava.util.logging.config.file={application.home}/lib/logging.properties -Dtika.config=tika-config.xml -Djava.locale.providers=COMPAT,SPI -Dsun.font.layoutengine=icu -Dcom.sun.media.jai.disableMediaLib=true -Dcoldfusion.classPath={application.home}/lib/updates,{application.home}/lib/,{application.home}/gateway/lib/,{application.home}/wwwroot/WEB-INF/cfform/jars,{application.home}/bin/cf-osgicli.jar

         

        "Error","http-nio-8400-exec-3","11/02/22","13:39:44","cfadmin","coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object; The specific sequence of files included or processed is: E:\CF2021\cfusion\wwwroot\CFIDE\administrator\updates\index.cfm, line: 733 "
        java.lang.NoSuchMethodError: coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object;
        at cf_core2ecfm1148457877$funcGETINSTALLEDUPDATES.runFunction(/CFIDE/administrator/updates/_core.cfm:733)

        Terms & ConditionsAccessibility statement
        Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices