• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

odd behavior with xmlParse and CF 2016

Explorer ,
Jan 24, 2020 Jan 24, 2020

Copy link to clipboard

Copied

We recently upgraded from CF 11 to CF 2016. Occasionally we are getting this error access denied ("java.io.FilePermission"... when trying to parse an in memory xml string. We have our application sandboxed, so we don't get this error when sandboxing is turned off but we do get when sandboxing is turned on. We are using jre1.8.0_221. Any ideas on what could be causing this and how we can fix it?

TOPICS
Advanced techniques , Security

Views

1.1K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 24, 2020 Jan 24, 2020

Copy link to clipboard

Copied

The error should show the file whose permission was not sufficient. It may be something inside of CF. Have you tried adding that folder to your sandbox, allowing it to be accessed?


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 27, 2020 Jan 27, 2020

Copy link to clipboard

Copied

Hi Charlie,

 

There is no file. We are recieveing the XML back in the response from another server. The XML is always in string "memory" format it never exists in file format. We have our sever severely locked down, no files are allowed to be written to same directory as the application code. What is odd is that with sandboxing turned off we don't get the error, so ColdFusion isn't really writting anything to directory, it doesn't have permissions. However, we only get the error with sandboxing turned on. Also an odd twist, if I restart the server the error goes away.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 25, 2020 Jan 25, 2020

Copy link to clipboard

Copied

I gave a vague answer about this kind of problem recently. I'm sorry I don't have more information to help. But sandboxing has all kinds of behind-the-scenes stuff to enable or disable various things, and it's just not documented very well anywhere as far as I've seen. There was a guy a while back named Russ Michaels, and he had a pretty good list of these undocumented items that he'd run into. You might search for those messages ("russ michaels sandbox coldfusion" might be a good query). I honestly haven't worked with sandboxes well enough to learn this stuff myself.

 

My guess here is that the XML document is being written to the filesystem, even though it appears to be in memory. So, wherever it's being written down, you'd need to include that folder. If the error message doesn't explicitly list this location per Charlie's suggestion, I'd look for the temp folders that CF uses, and include those explicitly.

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 26, 2020 Jan 26, 2020

Copy link to clipboard

Copied

It is a surprising error, given that the XML is a string in memory. Report this as a bug.

 

In the meantime, verify that the isn't caused elsewhere. For example, where a file is read, whose string content is later parsed to XML.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 27, 2020 Jan 27, 2020

Copy link to clipboard

Copied

We are reading XML files in just fine, and writting xml files just fine where sandboxing allows (outside our application directory). We have our sever severely locked down, no files are allowed to be written to same directory as the application code. What is odd is that with sandboxing turned off we don't get the error, so ColdFusion isn't really writting anything to directory, it doesn't have permissions. However, we only get the error with sandboxing turned on. Also an odd twist, if I restart the server the error goes away.

 

The same error also occurs with deserializeXML as well. We've run into issue with xml2struct not acting as expected as well. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 27, 2020 Jan 27, 2020

Copy link to clipboard

Copied

Like I said earlier, it would not surprise me if CF is writing these to temp files even though you're not specifying you want it to do so. This is kind of a standard "interface vs implementation" kind of thing. XML files can be big.

 

If you can't find where these temp files are being written, you could open a ticket as suggested and find out that way (or perhaps find out that this isn't the cause of the problem at all - I could very well be wrong). In the meantime, you can do things like monitor your filesystem using Process Monitor:

 

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

 

You could also make guesses about where you think the temp files would be located, and add those directories and their subdirectories to your sandbox.

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 27, 2020 Jan 27, 2020

Copy link to clipboard

Copied

Hi Dave,

 

Thanks for your help. Actually we already ran into that problem and the directory CF writes to for temp files is 

cfusion\runtime\work\Catalina\localhost\tmp\. As I mentioned though, the user CF is running as only has read access to this directory from the operating system level. So if it was actually writting anything, it would throw an error even when sandboxing is turned off, but it doesn't.
 
Perhaps I'm misundering your point though. Do you mean that there's another location that CF needs to write to and the location it's giving me is just a red herring? All of the errors we've seen in the past with sandboxing have been pretty straight forward. java.io.FilePermission, on folder CF is actually trying to write to. The incosistency of this bug also bothers me like it's a memory issue/bug when the cache is reset.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 27, 2020 Jan 27, 2020

Copy link to clipboard

Copied

I suspect that different things in CF are written to different directories. That said, why would you prevent CF from writing to its own temp directory? I mean, that's the whole point of having a temp directory. And if you have CF locked down so tightly, why do you need sandboxes?

 

If you're getting java.io.FilePermission, Java is trying to write somewhere, so yes, I mean that you'd have to find that location and allow it. I've never really worked with sandboxing because it hasn't been a good fit for the work that I do, but I do recall that there were all kinds of undocumented file locations that you had to add to it for things to work properly.

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 27, 2020 Jan 27, 2020

Copy link to clipboard

Copied

Dave,

 

I feel like we're talking past each other here.

Part of locking down/sandboxing is ensuring applications can't access ColdFusion code/directories so that malicious code is not introducted into the source code. Therefore, locking an applicaiton out of cfusion is very necessary if you want secure your applicaiton. Yes you need to open up the temp directories which we have done.

 

Sandboxing is time intensive and unfortuantely is not very well documented as well. There appears to be little use of it in the community and therefore little reporting of issues. Dave thanks for pointing us at russ michaels sandbox coldfusion, however we haven't really found his posts. Could you please post one or two of them here?

 

Thanks

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 27, 2020 Jan 27, 2020

Copy link to clipboard

Copied

There's nothing wrong with locking CF out of some directories. But it will need write access to its log directory, for example, and its temp directory, and the location where CF settings are stored. All of those are somewhere within the cfusion directory. I got the impression from your previous response that you'd set CF up with a user account that didn't have permission to write to its own temp directory. This would be overkill, and would introduce problems. I'm having trouble squaring that with what you've said about that working, and sandboxing not working, so honestly I'm going to just say I'd need to see what's going on in more detail than we can do on a forum.

 

I haven't been able to find much from Russ either. Some of this is just that old forums and mailing lists aren't around any more. All the links I've found are dead, so far. I looked for information from another knowledgeable sandbox user, Jochem van Dieten, but am not finding anything useful so far.

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 27, 2020 Jan 27, 2020

Copy link to clipboard

Copied

Hi justinh94069848,

Could you share with us the error in full, that is, the stacktrace?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 31, 2020 Jan 31, 2020

Copy link to clipboard

Copied

java.security.AccessControlException: access denied ("java.io.FilePermission" "z:\file_path_scrubbed\models\<cas:serviceResponse xmlns:cas='http:\www.urlscrubbed.com'> <cas:authenticationSuccess> <cas:user>scrub.user<\cas:user> <\cas:authenticationSuccess> <\cas:serviceResponse> " "read") at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkRead(Unknown Source) at java.io.File.exists(Unknown Source) at coldfusion.xml.XmlProcessor.getSourceURL(XmlProcessor.java:444) at coldfusion.xml.XmlProcessor.parse(XmlProcessor.java:254) at coldfusion.xml.XmlProcessor.parse(XmlProcessor.java:246) at coldfusion.runtime.CFPage.XmlParse(CFPage.java:265) at cfCAS2ecfc850593689$funcSERVICETICKETVALIDATE.runFunction(z:\file_path_scrubbed\models\CAS.cfc:58) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:654) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:443) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:413) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3247) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3224) at cfCAS2ecfc2135509330$funcVALIDATE.runFunction(z:\file_path_scrubbed\services\CAS.cfc:74) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:539) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:659) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:468) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3169) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3144) at cfAuthenticatorCAS2ecfc1315165634$funcCHECKLOGINSTATUS.runFunction(z:\file_path_scrubbed\models\AuthenticatorCAS.cfc:29) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:654) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:443) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:413) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3247) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3224) at cfApplication2ecfc1662216193$funcSETUPREQUEST.runFunction(z:\file_path_scrubbed\Application.cfc:1050) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3697) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3677) at cfframework2ecfc1873529245$funcSETUPREQUESTWRAPPER.runFunction(z:\file_path_scrubbed\org\corfield\framework.cfc:1728) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3697) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3677) at cfframework2ecfc1873529245$funcONREQUESTSTART.runFunction(z:\file_path_scrubbed\org\corfield\framework.cfc:769) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3697) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3677) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3267) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3224) at cfApplication2ecfc1662216193$funcONREQUESTSTART.runFunction(z:\file_path_scrubbed\Application.cfc:960) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:654) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:443) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:413) at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:114) at coldfusion.runtime.AppEventInvoker.onRequestStart(AppEventInvoker.java:285) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:473) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:153) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:223) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at sun.reflect.GeneratedMethodAccessor76.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:356) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:507) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Unknown Source)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 31, 2020 Jan 31, 2020

Copy link to clipboard

Copied

Here is the error message

access denied ("java.io.FilePermission" "z:\file_path_scrubbed\models\<cas:serviceResponse xmlns:cas='http:\www.urlscrubbed.com'> <cas:authenticationSuccess> <cas:user>scrub.user<\cas:user> <\cas:authenticationSuccess> <\cas:serviceResponse> " "read")

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 31, 2020 Jan 31, 2020

Copy link to clipboard

Copied

There is something not right about ColdFusion reading the following as a file name:

 

"<cas:serviceResponse xmlns:cas='http:\www.urlscrubbed.com'> <cas:authenticationSuccess> <cas:user>scrub.user<\cas:user> <\cas:authenticationSuccess> <\cas:serviceResponse>"

 

I suspect you have made a mistake and output the XML variable. Or, else, this is a bug.

 

In any case, could you show us the code on the line:

z:\file_path_scrubbed\models\CAS.cfc:58

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Feb 03, 2020 Feb 03, 2020

Copy link to clipboard

Copied

local.temphttp= new http();
local.temphttp.seturl(this.cas_server & "serviceValidate");
local.temphttp.setmethod("get");
local.temphttp.addParam(type="url", name="ticket", value=arguments.service_ticket);
local.temphttp.addParam(type="url", name="service", value=this.service);
local.result=local.temphttp.send();
local.result_FC = local.result.getprefix().FileContent;
if(isXML(local.result_FC))
{
    var XMLobj=XMLParse(local.result_FC); -- line 58

}

 

Here is the code. We are making a http call to an authentication service that returns XML in the response. We are then trying to read the xml in the response to confirm if the user was validated. This should never being looking for a file. This is a bug which only appeared in the CF 2016. How do I report this?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Feb 03, 2020 Feb 03, 2020

Copy link to clipboard

Copied

Thanks for your reply, justinh94069848 .

Weird. I don't see why ColdFusion would get a file-path involved.

It seems like a bug to me.

 

You should report a bug at https://tracker.adobe.com/#/home. Just attach a short description, and include a link to this forum page.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Feb 03, 2020 Feb 03, 2020

Copy link to clipboard

Copied

Thanks @BKBK,

Bug Submission Successful! Bug Id: CF-4206929

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Feb 03, 2020 Feb 03, 2020

Copy link to clipboard

Copied

LATEST

I've voted to get the bug looked into.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation