Coldfusion 2021 Update 5 breaks xml

Report · Oct 13, 2022

I just applied update 5 and now I am getting XML errors:

"Error","ajp-nio-127.0.0.1-8020-exec-10","10/13/22","11:28:42","Medlists3","coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object;

https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-5.html says

CHANGE IN XML
If the XML path contains a forward slash or backslash, it will be blocked. The flag, coldfusion.xml.allowPathCharacters, must be set to true to allow the same.

But I don't know where to make this change.

Report · Oct 13, 2022

Gabriel, to add any jvm argument to CF, you have two choices--and you do want to be careful about doing this. First, though, note that it needs to be added with a -D in front of it:

either go to the CF Admin (the admin for whatever instance of CF you have, if you may have more than one), then in its "java and jvm" page, there's a field called "java args". In that, which is one long line, you can add an argument: whether at the front, at the end, or in the middle. Just be sure to leave a space before the -Dcoldfusion.xml.allowPathCharacters=true
or you can instead (and I'd recommend) you edit the file that that page changes. Go to your CF folder, and cfusion/bin (or instancename/bin, if you run more than one instance). In that folder is a jvm.config file, and in that file is a java.args line, which has nearly all that you would see in the CF Admin page field of the same name. Again, in that line, add that arg as I discuss above. Then save that file (keeping it up) and restart CF, to see if it starts and shows that arg now in that CF Admin page, and then test if your page now works.

Even if you may opt to do the change in the CF Admin, I would warn of this: if you make a mistake, CF may well accept your change, but then you may find on restarting CF that it can't start...and that you can't get to the CF Admin to correct things. It's for for that reason I recommend you edit the file instead. If you do (having left it open after saving it), and CF doesn't start, then you can undo what you added.

Even safer would be to make a COPY of the jvm.config file first, again whether you edit in the Admin or by editing the file.

Let us know how it goes. I will share also that I can help folks do these sort of things, in as little as 15 mins, via remote screenshare consulting. More at carehart.org/consulting.

/Charlie (troubleshooter, carehart.org)

Report · Oct 13, 2022

Hello Gabriel,

Please try this.
Update ColdFusion 2021 with update 5

Go to \ColdFusion2021\{instances}\wwwroot\WEB-INF\cfclasses and clear the classes.
Restart ColdFusion service and try again.

Please let me know if that resolves the issue.

Report · Nov 02, 2022

Hello RaviShabkar,

I have tried your advice as well as the jvm argument and neither works for me. I can't even get to the CF Admin Package Manager page as it is throwing the XMLSearch error below. I have also pasted in my java.args below.

Does anyone have any other ideas?

java.args=-server -Xms256m -Xmx1024m --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/sun.util.cldr=ALL-UNNAMED --add-opens=java.base/sun.util.locale.provider=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED -XX:+UseParallelGC -Djdk.attach.allowAttachSelf=true -Dcoldfusion.home={application.home} -Duser.language=en -Dcoldfusion.rootDir={application.home} -Dcoldfusion.xml.allowPathCharacters=true -Dcoldfusion.libPath={application.home}/lib -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcoldfusion.jsafe.defaultalgo=FIPS186Random -Dorg.eclipse.jetty.util.log.class=org.eclipse.jetty.util.log.JavaUtilLog -Djava.util.logging.config.file={application.home}/lib/logging.properties -Dtika.config=tika-config.xml -Djava.locale.providers=COMPAT,SPI -Dsun.font.layoutengine=icu -Dcom.sun.media.jai.disableMediaLib=true -Dcoldfusion.classPath={application.home}/lib/updates,{application.home}/lib/,{application.home}/gateway/lib/,{application.home}/wwwroot/WEB-INF/cfform/jars,{application.home}/bin/cf-osgicli.jar

"Error","http-nio-8400-exec-3","11/02/22","13:39:44","cfadmin","coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object; The specific sequence of files included or processed is: E:\CF2021\cfusion\wwwroot\CFIDE\administrator\updates\index.cfm, line: 733 "
java.lang.NoSuchMethodError: coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object;
at cf_core2ecfm1148457877$funcGETINSTALLEDUPDATES.runFunction(/CFIDE/administrator/updates/_core.cfm:733)

Report · Nov 02, 2022

Hi @jeffp80876634

Please try this.

1. Stop ColdFusion service.

2. Clear the cfclasses from \ColdFusion2021\{instances}\wwwroot\WEB-INF\cfclasses

3. Clear the felix-cache from \ColdFusion2021\{instance}\bin\felix-cache

4. Start ColdFusion service and try to load CF admin and let me know if that works.

If that doesn't work, we can connect over a call and help you with that.

Thanks,
Priyank Shrivastava

Report · Nov 02, 2022

Hi @Priyank Shrivastava. - That did get my application that makes use of the XMLSearch function working again.

However, the CF Admin is still throwing the error below. Can you please let me know how I can setup a call with Adobe support on this?

Thanks,

Jeff

java.lang.NoSuchMethodError: coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object;
at cf_core2ecfm1148457877$funcGETINSTALLEDUPDATES.runFunction(/CFIDE/administrator/updates/_core.cfm:733)

Report · Nov 03, 2022

Hi, @Priyank Shrivastava. !

What exactly is Apache Felix being used for in CF? That's a new one on me. Thanks in advance!

Dave Watts, Eidolon LLC

Report · Nov 03, 2022

Dave, Felix is an implementation of the osgi framework (from the Apache org) which underlies the new modularity of cf2021, where one can optionally implement only SOME "packages", related to features of cf. As you may know, that's controlled either in the cf admin "package manager" page or via the cfpm tool in the cf bin folder.

And whether one does or doesn't manipulate the packages, cf under the covers uses that modularity with regard to how things work.

As such, Priyank's suggestion to clear that cache is another attempt at solving the xmlsearch problem. That's a new one to me.

That said, Priyank, shouldn't one use cfpm purgecache. Or is there no benefit of that over just deleting the files?

/Charlie (troubleshooter, carehart.org)

Report · Dec 01, 2022

Hi @Priyank Shrivastava. - my CF admin still throws an error when I try to go to the Package Manager tab.
Any ideas on how to fix this?

Dec 1, 2022 11:42:15 AM Error [http-nio-8400-exec-6] - coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object; The specific sequence of files included or processed is: XXXX\cfusion\wwwroot\CFIDE\administrator\updates\index.cfm, line: 733

Report · Dec 01, 2022

@jeffp80876634 Try updating all the packages via the command line and see if it helps.

Navigate to \ColdFusion2021\cfusion\bin folder from the command prompt, run cfpm.bat and the below command.

cfpm>update ALL

Restart the CF and check.

Thanks,

Vikram

Report · Oct 13, 2022

Thanks Charlie, I DO appreciate the fast response. I tried adding the flag but unfortuately it had no effect

Report · Oct 13, 2022

Thanks RaviShankar Chagnur! that worked!

Report · Oct 14, 2022

Thanks for this! I was having a similar problem. Clearing the cfclasses didn't help, but Charlie's JVM flag did.

Report · Oct 14, 2022

I have the same issue. I tried the JVM argument. No affect. On my local dev box, my wwwroot\WEB-INF\cfclasses is empty (we keep this turned off on our dev/test machines). Please advise.

#xmlTransform( xml, getXsl() )# << this code causes the error below.

An error occurred while Transforming an XML document.
Unable to process the XML string as it could probably contain file paths.

coldfusion.xml.XmlProcessException: An error occurred while Transforming an XML document.
	at coldfusion.xml.XmlProcessor.doTransform(XmlProcessor.java:712)
	at coldfusion.xml.XmlProcessor.access$100(XmlProcessor.java:95)
	at coldfusion.xml.XmlProcessor$2.run(XmlProcessor.java:660)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at coldfusion.xml.XmlProcessor.transform(XmlProcessor.java:656)
	at coldfusion.xml.XmlProcessor.transform(XmlProcessor.java:645)
	at coldfusion.runtime.CFPage.XmlTransform(CFPage.java:444)

Report · Oct 14, 2022

Jhansen, the update technote does indicate the change that leads to this failure, so it's not unexpected. Not clear if you realize that. And the ultimate solution is to get that getxsl result (the xmlsearch criteria) to NOT have slashes, as that's deemed to be a security vulnerability.

But yes, as the technote shows, Adobe provided for backward compatibility/reduced security by way of that jvm arg.

So when you say it doesn't work, we should all question whether you implemented it correctly. If you see my comment above to Gabriel, there are specific things to do and to check. If you may have more than one instance of cf2021 on that machine, do be sure you've put the change in the right place. If you do, that error should go away. If you make any mistake, it could remain.

Let's us know what you think. And if you may have taken offense at my reply here, please know that's not my intent. I'm just trying to help. I can't known who knows what. I just help people solve such problems literally every day, in the community and in my consulting.

/Charlie (troubleshooter, carehart.org)

Report · Oct 14, 2022

Oh Charlie, I'm not offened, we have worked togehter before. In fact, you where right, I did it wrong. I missed the space. The JVM arg DOES allow the code to work. The XML in question has lots of slashes/paths in it because it part of the menu system. It's going to take some work to fix this one. <facepalm>

Report · Oct 14, 2022

Ah, OK Justin. Didn't connect the dots with just the initial. 🙂 Great to hear that you solved things, and glad to have helped. I suspect this could happen to others, so good to get the info out here. Until again.

/Charlie (troubleshooter, carehart.org)

Report · Oct 16, 2022

Hi Charlie,

I had a question related to your note about NOT using slashes in the xmlSearch criteria. Perhaps I am missunderstanding, but I'm unsure how you would otherwise search the XML. Isn't XPATH (which will almost always contain slashes) the basis of searching XML?

Please advise.

Thanks,

Brad

Report · Oct 16, 2022

Yes, Brad. But I'm simply reflecting the info Adobe has shared in the technote for update 5. As indicated there (and quoted above):

CHANGE IN XML

If the XML path contains a forward slash or backslash, it will be blocked. The flag, coldfusion.xml.allowPathCharacters, must be set to true to allow the same.

To be clear, I don't work for Adobe. My understanding is that this is a change related to an aspect of security. My sense if that they're implementing it as a protection, with the jvm arg for those who a) do intentionally use xmlsearch and b) need to permit use of such normal xpath search criteria.

That said, I've been participating in another thread in these forums where people are finding they CAN use paths in the search criteria. We've not gotten clarification on that from anyone.

I welcome further clarification there or here from anyone understanding things better.

/Charlie (troubleshooter, carehart.org)

Report · Oct 16, 2022

Hi Charlie,

Thanks very much for the response and the link to the other thread. I look forward to more clarification coming from Adobe, as it certainly does seem to defeat the purpose of the xmlSearch() method if XPATH can't be used as intended :-). I am still on CF2018, but update 15 has the same technote. We use xmlSearch() extensively, so I won't be rushing to update.

Best Regards,

Brad

Report · Oct 16, 2022

Sure, and I only pointed to 2021 given the subject of this thread, but yep I agree it's a confusing situation about xmlsearch.

That said, before holding off on the update, why not try it to see what happens--especially given what bkbk reported in that other thread? Perhaps YOU could be the one to bring us clarity on what works or may not. 🙂

As you may know, updates are easily uninstalled. Or you can use the free developer edition on a machine other than your production one. Even if you "can't run your web app off the prod server", you could at least try some subset.

Or you can try things for free on the Adobe cffiddle.org site, which already supports these two latest updates.

/Charlie (troubleshooter, carehart.org)

Report · Oct 16, 2022

Hi @Brad Hogg_51

This change is specifically to XMLTransform() and not XMLsearchI(). In case you are not using XMLtransform, you don't need to add the flag in your CF server. For XMLSearch(), we did change the signature and that is why we need to clear the classes.

Thanks,
Priyank Shrivastava

Report · Oct 17, 2022

Hi Priyank,

Thanks very much for the clarification. This is extremely helpful and makes much more sense! 🙂

Best Regards,

Brad

Report · Oct 17, 2022

Ah, OK. Thanks, Priyank. I don't think I'd seen that clarified anywhere else. It would SURELY help to get that added to the update technotes. They don't mention the path issue being about xmltransform, nor about xmlsearch use requiring recompile/clear of classes.

Also, are those issues really limited to each of those function? Or does either issue affect other CFML functions/tags related to XML processing?

I will post to that other forum thread, pointing to your comment.

/Charlie (troubleshooter, carehart.org)

Report · Oct 17, 2022

Sure Charlie, I will ask documentation team to update the doc.

Thanks,
Priyank Shrivastava

Adobe Community

Coldfusion 2021 Update 5 breaks xml

1 Correct answer