odd behavior with xmlParse and CF 2016

Report · Jan 24, 2020

We recently upgraded from CF 11 to CF 2016. Occasionally we are getting this error access denied ("java.io.FilePermission"... when trying to parse an in memory xml string. We have our application sandboxed, so we don't get this error when sandboxing is turned off but we do get when sandboxing is turned on. We are using jre1.8.0_221. Any ideas on what could be causing this and how we can fix it?

Report · Jan 24, 2020

The error should show the file whose permission was not sufficient. It may be something inside of CF. Have you tried adding that folder to your sandbox, allowing it to be accessed?

/Charlie (troubleshooter, carehart. org)

Report · Jan 27, 2020

Hi Charlie,

There is no file. We are recieveing the XML back in the response from another server. The XML is always in string "memory" format it never exists in file format. We have our sever severely locked down, no files are allowed to be written to same directory as the application code. What is odd is that with sandboxing turned off we don't get the error, so ColdFusion isn't really writting anything to directory, it doesn't have permissions. However, we only get the error with sandboxing turned on. Also an odd twist, if I restart the server the error goes away.

Report · Jan 25, 2020

I gave a vague answer about this kind of problem recently. I'm sorry I don't have more information to help. But sandboxing has all kinds of behind-the-scenes stuff to enable or disable various things, and it's just not documented very well anywhere as far as I've seen. There was a guy a while back named Russ Michaels, and he had a pretty good list of these undocumented items that he'd run into. You might search for those messages ("russ michaels sandbox coldfusion" might be a good query). I honestly haven't worked with sandboxes well enough to learn this stuff myself.

My guess here is that the XML document is being written to the filesystem, even though it appears to be in memory. So, wherever it's being written down, you'd need to include that folder. If the error message doesn't explicitly list this location per Charlie's suggestion, I'd look for the temp folders that CF uses, and include those explicitly.

Dave Watts, Eidolon LLC

Report · Jan 26, 2020

It is a surprising error, given that the XML is a string in memory. Report this as a bug.

In the meantime, verify that the isn't caused elsewhere. For example, where a file is read, whose string content is later parsed to XML.

Report · Jan 27, 2020

We are reading XML files in just fine, and writting xml files just fine where sandboxing allows (outside our application directory). We have our sever severely locked down, no files are allowed to be written to same directory as the application code. What is odd is that with sandboxing turned off we don't get the error, so ColdFusion isn't really writting anything to directory, it doesn't have permissions. However, we only get the error with sandboxing turned on. Also an odd twist, if I restart the server the error goes away.

The same error also occurs with deserializeXML as well. We've run into issue with xml2struct not acting as expected as well.

Report · Jan 27, 2020

Like I said earlier, it would not surprise me if CF is writing these to temp files even though you're not specifying you want it to do so. This is kind of a standard "interface vs implementation" kind of thing. XML files can be big.

If you can't find where these temp files are being written, you could open a ticket as suggested and find out that way (or perhaps find out that this isn't the cause of the problem at all - I could very well be wrong). In the meantime, you can do things like monitor your filesystem using Process Monitor:

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

You could also make guesses about where you think the temp files would be located, and add those directories and their subdirectories to your sandbox.

Dave Watts, Eidolon LLC

Report · Jan 27, 2020

Hi Dave,

Thanks for your help. Actually we already ran into that problem and the directory CF writes to for temp files is

cfusion\runtime\work\Catalina\localhost\tmp\. As I mentioned though, the user CF is running as only has read access to this directory from the operating system level. So if it was actually writting anything, it would throw an error even when sandboxing is turned off, but it doesn't.

Perhaps I'm misundering your point though. Do you mean that there's another location that CF needs to write to and the location it's giving me is just a red herring? All of the errors we've seen in the past with sandboxing have been pretty straight forward. java.io.FilePermission, on folder CF is actually trying to write to. The incosistency of this bug also bothers me like it's a memory issue/bug when the cache is reset.

Report · Jan 27, 2020

I suspect that different things in CF are written to different directories. That said, why would you prevent CF from writing to its own temp directory? I mean, that's the whole point of having a temp directory. And if you have CF locked down so tightly, why do you need sandboxes?

If you're getting java.io.FilePermission, Java is trying to write somewhere, so yes, I mean that you'd have to find that location and allow it. I've never really worked with sandboxing because it hasn't been a good fit for the work that I do, but I do recall that there were all kinds of undocumented file locations that you had to add to it for things to work properly.

Dave Watts, Eidolon LLC

Report · Jan 27, 2020

Dave,

I feel like we're talking past each other here.

Part of locking down/sandboxing is ensuring applications can't access ColdFusion code/directories so that malicious code is not introducted into the source code. Therefore, locking an applicaiton out of cfusion is very necessary if you want secure your applicaiton. Yes you need to open up the temp directories which we have done.

Sandboxing is time intensive and unfortuantely is not very well documented as well. There appears to be little use of it in the community and therefore little reporting of issues. Dave thanks for pointing us at russ michaels sandbox coldfusion, however we haven't really found his posts. Could you please post one or two of them here?

Thanks

Report · Jan 27, 2020

There's nothing wrong with locking CF out of some directories. But it will need write access to its log directory, for example, and its temp directory, and the location where CF settings are stored. All of those are somewhere within the cfusion directory. I got the impression from your previous response that you'd set CF up with a user account that didn't have permission to write to its own temp directory. This would be overkill, and would introduce problems. I'm having trouble squaring that with what you've said about that working, and sandboxing not working, so honestly I'm going to just say I'd need to see what's going on in more detail than we can do on a forum.

I haven't been able to find much from Russ either. Some of this is just that old forums and mailing lists aren't around any more. All the links I've found are dead, so far. I looked for information from another knowledgeable sandbox user, Jochem van Dieten, but am not finding anything useful so far.

Dave Watts, Eidolon LLC

Report · Jan 27, 2020

Hi justinh94069848,

Could you share with us the error in full, that is, the stacktrace?

Report · Jan 31, 2020

java.security.AccessControlException: access denied ("java.io.FilePermission" "z:\file_path_scrubbed\models\<cas:serviceResponse xmlns:cas='http:\www.urlscrubbed.com'> <cas:authenticationSuccess> <cas:user>scrub.user<\cas:user> <\cas:authenticationSuccess> <\cas:serviceResponse> " "read") at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkRead(Unknown Source) at java.io.File.exists(Unknown Source) at coldfusion.xml.XmlProcessor.getSourceURL(XmlProcessor.java:444) at coldfusion.xml.XmlProcessor.parse(XmlProcessor.java:254) at coldfusion.xml.XmlProcessor.parse(XmlProcessor.java:246) at coldfusion.runtime.CFPage.XmlParse(CFPage.java:265) at cfCAS2ecfc850593689$funcSERVICETICKETVALIDATE.runFunction(z:\file_path_scrubbed\models\CAS.cfc:58) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:654) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:443) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:413) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3247) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3224) at cfCAS2ecfc2135509330$funcVALIDATE.runFunction(z:\file_path_scrubbed\services\CAS.cfc:74) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:539) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:659) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:468) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3169) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3144) at cfAuthenticatorCAS2ecfc1315165634$funcCHECKLOGINSTATUS.runFunction(z:\file_path_scrubbed\models\AuthenticatorCAS.cfc:29) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:654) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:443) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:413) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3247) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3224) at cfApplication2ecfc1662216193$funcSETUPREQUEST.runFunction(z:\file_path_scrubbed\Application.cfc:1050) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3697) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3677) at cfframework2ecfc1873529245$funcSETUPREQUESTWRAPPER.runFunction(z:\file_path_scrubbed\org\corfield\framework.cfc:1728) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3697) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3677) at cfframework2ecfc1873529245$funcONREQUESTSTART.runFunction(z:\file_path_scrubbed\org\corfield\framework.cfc:769) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3697) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3677) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3267) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3224) at cfApplication2ecfc1662216193$funcONREQUESTSTART.runFunction(z:\file_path_scrubbed\Application.cfc:960) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:654) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:443) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:413) at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:114) at coldfusion.runtime.AppEventInvoker.onRequestStart(AppEventInvoker.java:285) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:473) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:153) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:223) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at sun.reflect.GeneratedMethodAccessor76.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:356) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:507) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Unknown Source)

Report · Jan 31, 2020

Here is the error message

access denied ("java.io.FilePermission" "z:\file_path_scrubbed\models\<cas:serviceResponse xmlns:cas='http:\www.urlscrubbed.com'> <cas:authenticationSuccess> <cas:user>scrub.user<\cas:user> <\cas:authenticationSuccess> <\cas:serviceResponse> " "read")

Report · Jan 31, 2020

There is something not right about ColdFusion reading the following as a file name:

"<cas:serviceResponse xmlns:cas='http:\www.urlscrubbed.com'> <cas:authenticationSuccess> <cas:user>scrub.user<\cas:user> <\cas:authenticationSuccess> <\cas:serviceResponse>"

I suspect you have made a mistake and output the XML variable. Or, else, this is a bug.

In any case, could you show us the code on the line:

z:\file_path_scrubbed\models\CAS.cfc:58

Report · Feb 03, 2020

local.temphttp= new http();
local.temphttp.seturl(this.cas_server & "serviceValidate");
local.temphttp.setmethod("get");
local.temphttp.addParam(type="url", name="ticket", value=arguments.service_ticket);
local.temphttp.addParam(type="url", name="service", value=this.service);
local.result=local.temphttp.send();
local.result_FC = local.result.getprefix().FileContent;
if(isXML(local.result_FC))
{
var XMLobj=XMLParse(local.result_FC); -- line 58

}

Here is the code. We are making a http call to an authentication service that returns XML in the response. We are then trying to read the xml in the response to confirm if the user was validated. This should never being looking for a file. This is a bug which only appeared in the CF 2016. How do I report this?

Report · Feb 03, 2020

Thanks for your reply, justinh94069848 .

Weird. I don't see why ColdFusion would get a file-path involved.

It seems like a bug to me.

You should report a bug at https://tracker.adobe.com/#/home. Just attach a short description, and include a link to this forum page.

Report · Feb 03, 2020

Thanks @BKBK,

Bug Submission Successful! Bug Id: CF-4206929

Report · Feb 03, 2020

I've voted to get the bug looked into.

odd behavior with xmlParse and CF 2016

Photos