ColdFusion 2021 HF 20; pathfilter.json

Report · Jun 16, 2025

We installed HF 20 on our CF 2021 instance (from HF 19) and saw "Security violation: Scheduled task 'XXX' attempted to execute unauthorized path: F:/Tasks_Logs/xxx.log. To allow it, whitelist the path in cf-root/lib/pathfilter.json against key schedulerexecutionpaths." in the scheduler.log (and consequently the task did not run (actually found the task to be deleted). Anway, based on the release notes, we updated pathfilter.json as such:

"schedulerexecutionpaths": "F:/Tasks_Logs/**."

Restarted CF and then broke our SAML/SSO login altogether to the site, so the site was hard down. Backed out change to pathfilter.json and restarted CF, still hared down. Backed out HF 20, back to HF 19 and restarted, all good (sans deleted scheduled tasks).

Error when hard down, on our consume page (SAML response) looked like:

Diagnostics org/hibernate/HibernateException null <br>The error occurred on line -1.
GeneratedContent [empty string]
HTTPReferer https://subdomain.onelogin.com/
Mailto [empty string]
Message org/hibernate/HibernateException
QueryString [empty string]

coldfusion-out.log shows:

Jun 13, 2025 07:48:11 AM Error [ajp-nio-127.0.0.1-8020-exec-8] - org/hibernate/HibernateException null <br>The error occurred on line -1., https://subdomain.onelogin.com/, /[root]/onelogin/consume.cfm
Jun 13, 2025 07:48:12 AM Error [ajp-nio-127.0.0.1-8020-exec-8] - org/hibernate/HibernateException The specific sequence of files included or processed is: [webroot]\[root]onelogin\consume.cfm''

Report · Jun 17, 2025

You followed the right steps. About the cause of the problem, my bet is on one of two things: either (1) ColdFusion hates the fact that your file path ends with a dot or (2) you forgot to restart ColdFusion afterwards.

So, to recap, the steps I suggest are:

(Re)install Update 20.
Make sure the directory F:/Tasks_Logs exists and that ColdFusion has access to it.

In the file /lib/pathfilter.json, enter the setting

"schedulerexecutionpaths": "F:/Tasks_Logs/**"

or

"schedulerexecutionpaths": "F:/Tasks_Logs/xxxx.log"

Restart ColdFusion
Under the setting Publish > File in the scheduled tasks page in the Administrator, enter the full path of the file.
Press the button Submit Changes.

Report · Jun 18, 2025

Thanks BKBK! The dot is a typo, shoudl have been a semicolon (because that was in the technote). I did want to note, even thogu we saw those erros in the log, we do nto actually have Publish selected on the the tasks in question (or any for that matter).

Report · Jun 19, 2025

Thanks for the new information.

Install Update 20 and follow the steps I suggested. I hope there won't be any errors.

Upgrading to Update 20 is the main goal.

Report · Jun 24, 2025

I think and will look more, but Microsoft June updates, KB5060531, are somehow at play. We have a dev box that has HF 20 fine, sans scheduled tasks working, but our Sys Admin installed the aforementioned Windows update and broke the consume.cfm (login page) above. Now when we did this in production on June 13, the Windows updates were pending and got installed then. Of course I could just be candidate for a Jump to Conclusion mat.

https://support.microsoft.com/en-us/topic/june-10-2025-kb5060531-os-build-17763-7434-32fce7e7-305d-4...

Report · Jun 24, 2025

Thanks for sharing the information about Microsoft June updates, KB5060531. That aside, I am glad to inform you of the following:

I installed ColdFusion 2021 and applied Update 20.
I then created a scheduled task in the ColdFusion Administrator, according to the 6 steps that I gave in my earlier post.

The scheduled task worked as expected, and there were no errors.