Inspiring

Answered

Coldfusion 2021 Update 5 breaks xml

Forum|Forum|3 years ago
October 13, 2022
3 replies
6838 views

I just applied update 5 and now I am getting XML errors:

"Error","ajp-nio-127.0.0.1-8020-exec-10","10/13/22","11:28:42","Medlists3","coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object;

https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-5.html says

CHANGE IN XML
If the XML path contains a forward slash or backslash, it will be blocked. The flag, coldfusion.xml.allowPathCharacters, must be set to true to allow the same.

But I don't know where to make this change.

This topic has been closed for replies.

Correct answer RaviShankar Chagnur

Hello Gabriel,

Please try this.
Update ColdFusion 2021 with update 5

Go to \ColdFusion2021\{instances}\wwwroot\WEB-INF\cfclasses and clear the classes.
Restart ColdFusion service and try again.

Please let me know if that resolves the issue.

M

michaelg11604920

Participating Frequently

clearing \ColdFusion2021\{instances}\wwwroot\WEB-INF\cfclasses worked for me. Thanks. Adobe updates are always an adventure, and not in a good way.. Didn't catch this until it was in production.

Charlie Arehart

Community Expert

Yes, Michael. And it doesn't help that the suggestion to clear the cfclasses is only in the cf2018 update 15 technote, which is quite unfortunate.

And back to an earlier comment in this thread, there's also no clarification about which cfml xml features/functions are impacted by these changes, whether the need to do that class clearing or adding the jvm arg (discussed in both technotes).

/Charlie (troubleshooter, carehart. org)

Brad Hogg_51

New Participant

Hello All,

I can confirm, for CF2018 at least, that the jvm argument is only needed when using xmlTransform(). It is not needed if you are only using xmlSearch(). Clearing the classes was indeed necessary however. We use a ton of XML, so I can say this quite confidently.

Thanks,

Brad

J

jhansen-cf

Inspiring

I have the same issue. I tried the JVM argument. No affect. On my local dev box, my wwwroot\WEB-INF\cfclasses is empty (we keep this turned off on our dev/test machines). Please advise.

#xmlTransform( xml, getXsl() )# << this code causes the error below.

An error occurred while Transforming an XML document.
Unable to process the XML string as it could probably contain file paths.

coldfusion.xml.XmlProcessException: An error occurred while Transforming an XML document.
	at coldfusion.xml.XmlProcessor.doTransform(XmlProcessor.java:712)
	at coldfusion.xml.XmlProcessor.access$100(XmlProcessor.java:95)
	at coldfusion.xml.XmlProcessor$2.run(XmlProcessor.java:660)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at coldfusion.xml.XmlProcessor.transform(XmlProcessor.java:656)
	at coldfusion.xml.XmlProcessor.transform(XmlProcessor.java:645)
	at coldfusion.runtime.CFPage.XmlTransform(CFPage.java:444)

Charlie Arehart

Community Expert

Jhansen, the update technote does indicate the change that leads to this failure, so it's not unexpected. Not clear if you realize that. And the ultimate solution is to get that getxsl result (the xmlsearch criteria) to NOT have slashes, as that's deemed to be a security vulnerability.

But yes, as the technote shows, Adobe provided for backward compatibility/reduced security by way of that jvm arg.

So when you say it doesn't work, we should all question whether you implemented it correctly. If you see my comment above to Gabriel, there are specific things to do and to check. If you may have more than one instance of cf2021 on that machine, do be sure you've put the change in the right place. If you do, that error should go away. If you make any mistake, it could remain.

Let's us know what you think. And if you may have taken offense at my reply here, please know that's not my intent. I'm just trying to help. I can't known who knows what. I just help people solve such problems literally every day, in the community and in my consulting.

/Charlie (troubleshooter, carehart. org)

Charlie Arehart

Community Expert

Hi Charlie,

I had a question related to your note about NOT using slashes in the xmlSearch criteria. Perhaps I am missunderstanding, but I'm unsure how you would otherwise search the XML. Isn't XPATH (which will almost always contain slashes) the basis of searching XML?

Please advise.

Thanks,

Brad

Yes, Brad. But I'm simply reflecting the info Adobe has shared in the technote for update 5. As indicated there (and quoted above):

CHANGE IN XML

If the XML path contains a forward slash or backslash, it will be blocked. The flag, coldfusion.xml.allowPathCharacters, must be set to true to allow the same.

To be clear, I don't work for Adobe. My understanding is that this is a change related to an aspect of security. My sense if that they're implementing it as a protection, with the jvm arg for those who a) do intentionally use xmlsearch and b) need to permit use of such normal xpath search criteria.

That said, I've been participating in another thread in these forums where people are finding they CAN use paths in the search criteria. We've not gotten clarification on that from anyone.

I welcome further clarification there or here from anyone understanding things better.

/Charlie (troubleshooter, carehart. org)

Charlie Arehart

Community Expert

Gabriel, to add any jvm argument to CF, you have two choices--and you do want to be careful about doing this. First, though, note that it needs to be added with a -D in front of it:

either go to the CF Admin (the admin for whatever instance of CF you have, if you may have more than one), then in its "java and jvm" page, there's a field called "java args". In that, which is one long line, you can add an argument: whether at the front, at the end, or in the middle. Just be sure to leave a space before the -Dcoldfusion.xml.allowPathCharacters=true
or you can instead (and I'd recommend) you edit the file that that page changes. Go to your CF folder, and cfusion/bin (or instancename/bin, if you run more than one instance). In that folder is a jvm.config file, and in that file is a java.args line, which has nearly all that you would see in the CF Admin page field of the same name. Again, in that line, add that arg as I discuss above. Then save that file (keeping it up) and restart CF, to see if it starts and shows that arg now in that CF Admin page, and then test if your page now works.

Even if you may opt to do the change in the CF Admin, I would warn of this: if you make a mistake, CF may well accept your change, but then you may find on restarting CF that it can't start...and that you can't get to the CF Admin to correct things. It's for for that reason I recommend you edit the file instead. If you do (having left it open after saving it), and CF doesn't start, then you can undo what you added.

Even safer would be to make a COPY of the jvm.config file first, again whether you edit in the Admin or by editing the file.

Let us know how it goes. I will share also that I can help folks do these sort of things, in as little as 15 mins, via remote screenshare consulting. More at carehart.org/consulting.

/Charlie (troubleshooter, carehart. org)

RaviShankar ChagnurCorrect answer

Adobe Employee

Hello Gabriel,

Please try this.
Update ColdFusion 2021 with update 5

Go to \ColdFusion2021\{instances}\wwwroot\WEB-INF\cfclasses and clear the classes.
Restart ColdFusion service and try again.

Please let me know if that resolves the issue.

J

jeffp80876634

New Participant

Hello RaviShabkar,

I have tried your advice as well as the jvm argument and neither works for me. I can't even get to the CF Admin Package Manager page as it is throwing the XMLSearch error below. I have also pasted in my java.args below.

Does anyone have any other ideas?

java.args=-server -Xms256m -Xmx1024m --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/sun.util.cldr=ALL-UNNAMED --add-opens=java.base/sun.util.locale.provider=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED -XX:+UseParallelGC -Djdk.attach.allowAttachSelf=true -Dcoldfusion.home={application.home} -Duser.language=en -Dcoldfusion.rootDir={application.home} -Dcoldfusion.xml.allowPathCharacters=true -Dcoldfusion.libPath={application.home}/lib -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcoldfusion.jsafe.defaultalgo=FIPS186Random -Dorg.eclipse.jetty.util.log.class=org.eclipse.jetty.util.log.JavaUtilLog -Djava.util.logging.config.file={application.home}/lib/logging.properties -Dtika.config=tika-config.xml -Djava.locale.providers=COMPAT,SPI -Dsun.font.layoutengine=icu -Dcom.sun.media.jai.disableMediaLib=true -Dcoldfusion.classPath={application.home}/lib/updates,{application.home}/lib/,{application.home}/gateway/lib/,{application.home}/wwwroot/WEB-INF/cfform/jars,{application.home}/bin/cf-osgicli.jar

"Error","http-nio-8400-exec-3","11/02/22","13:39:44","cfadmin","coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object; The specific sequence of files included or processed is: E:\CF2021\cfusion\wwwroot\CFIDE\administrator\updates\index.cfm, line: 733 "
java.lang.NoSuchMethodError: coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object;
at cf_core2ecfm1148457877$funcGETINSTALLEDUPDATES.runFunction(/CFIDE/administrator/updates/_core.cfm:733)

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded