Highlighted

Coldfusion migration from CF9 to CF11 issues - excel download - untrusted soucre - hence excel contents are blocked

New Here ,
Aug 16, 2016

Copy link to clipboard

Copied

Hello,

My name is Harshal Jain working for Edwards UK.

Earlier we were using CF9 (Coldfusion server version 9) and now we have migrated to CF11 (Coldfusion version 11) . The problem is excel download code which was working fine on CF9 is working partially on CF11 and it blocks the contents of the excel file downloaded - due to security concerns - it treats the source from which the excel is downloaded as - not trusted.

For eg below is the sample code

<cfprocessingdirective pageEncoding="utf-8" />

<cfsetting enablecfoutputonly="Yes">

<cfcontent type="application/msexcel;charset=utf-16">

<cfheader name="Content-Disposition" value="attachment; filename=TEST_Excel.xls">

<cfoutput>

<table border="1">

  <tr>

  <th nowrap>Name</th>

  </tr>

   <tr>

  <td nowrap>Mark Waugh</td>

  </tr>

</table>

</cfoutput>

When the above code is executed on CF9 then - and when this code is executed - and after the excel file is saved on local machine - and while trying to open this excel file - it just says - The file you are trying to open is in different format than specified by the file extension. Verify file is not corrupted etc...........

But it provides an option to select - Yes or No or Help. When I click on Yes - it allows me to open the file. Thus I can access the file downloaded from CF9.

Now we have updated CF from CF9 to CF11. Same code is executed (webserver is same we just upgraded to CF11 from CF9). When this excel file is downloaded and tried to open - a blank excel gets opened. Nothing is displayed in the excel. Now for this I need to right click on excel file -> Properties -> and then need to unblock the file under Security - under tab - General. Then need to click Apply and Ok.

Now when I open this excel file -

it now says - The file you are trying to open is in different format than specified by the file extension. Verify file is not corrupted etc...........

But it provides an option to select - Yes or No or Help. When I click on Yes - it allows me to open the file.

The problem is all the system users are frustrated and they don't want to unblock the excel every now and then.

Now my question is - why this functionality is changed for CF11 which was working fine on CF9. We just want something like this - when the excel is downloaded from this server, it should treat it as trusted source/secured file and it should open normally.

Actually, the functionality has not changed in CF11.  You're simply a victim of circumstance in that you upgraded to CF11 at the same time Microsoft decided to patch Excel and cause the exact behavior you're describing.  The best part...they did this on purpose!

Here is their official blog where they "apologize" for this behavior.

Update 8/9/2016: Excel Workbooks may not open after installing MS16-088 – The Microsoft Excel Support Team Blog

Upon reviewing the blog while writing this reponse it looks like they've actually released some fixes if you scroll to the bottom of the blog.

So, your users can install the fix or there are a couple ways to allow the download in Excel:

  1. Open Excel. Go to File-->Options --> Trust Center --> Trust Center Settings --> Protected View --> Uncheck "Enable Protected View for files originating from the Internet" check box.
  2. OR....Open your Windows Control Panel and open Internet Options-->Security tab-->Single click the Trusted Sites icon-->Sites button-->type: https://www.yoursite.com>Add button-->Close-->OK

Views

501

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Coldfusion migration from CF9 to CF11 issues - excel download - untrusted soucre - hence excel contents are blocked

New Here ,
Aug 16, 2016

Copy link to clipboard

Copied

Hello,

My name is Harshal Jain working for Edwards UK.

Earlier we were using CF9 (Coldfusion server version 9) and now we have migrated to CF11 (Coldfusion version 11) . The problem is excel download code which was working fine on CF9 is working partially on CF11 and it blocks the contents of the excel file downloaded - due to security concerns - it treats the source from which the excel is downloaded as - not trusted.

For eg below is the sample code

<cfprocessingdirective pageEncoding="utf-8" />

<cfsetting enablecfoutputonly="Yes">

<cfcontent type="application/msexcel;charset=utf-16">

<cfheader name="Content-Disposition" value="attachment; filename=TEST_Excel.xls">

<cfoutput>

<table border="1">

  <tr>

  <th nowrap>Name</th>

  </tr>

   <tr>

  <td nowrap>Mark Waugh</td>

  </tr>

</table>

</cfoutput>

When the above code is executed on CF9 then - and when this code is executed - and after the excel file is saved on local machine - and while trying to open this excel file - it just says - The file you are trying to open is in different format than specified by the file extension. Verify file is not corrupted etc...........

But it provides an option to select - Yes or No or Help. When I click on Yes - it allows me to open the file. Thus I can access the file downloaded from CF9.

Now we have updated CF from CF9 to CF11. Same code is executed (webserver is same we just upgraded to CF11 from CF9). When this excel file is downloaded and tried to open - a blank excel gets opened. Nothing is displayed in the excel. Now for this I need to right click on excel file -> Properties -> and then need to unblock the file under Security - under tab - General. Then need to click Apply and Ok.

Now when I open this excel file -

it now says - The file you are trying to open is in different format than specified by the file extension. Verify file is not corrupted etc...........

But it provides an option to select - Yes or No or Help. When I click on Yes - it allows me to open the file.

The problem is all the system users are frustrated and they don't want to unblock the excel every now and then.

Now my question is - why this functionality is changed for CF11 which was working fine on CF9. We just want something like this - when the excel is downloaded from this server, it should treat it as trusted source/secured file and it should open normally.

Actually, the functionality has not changed in CF11.  You're simply a victim of circumstance in that you upgraded to CF11 at the same time Microsoft decided to patch Excel and cause the exact behavior you're describing.  The best part...they did this on purpose!

Here is their official blog where they "apologize" for this behavior.

Update 8/9/2016: Excel Workbooks may not open after installing MS16-088 – The Microsoft Excel Support Team Blog

Upon reviewing the blog while writing this reponse it looks like they've actually released some fixes if you scroll to the bottom of the blog.

So, your users can install the fix or there are a couple ways to allow the download in Excel:

  1. Open Excel. Go to File-->Options --> Trust Center --> Trust Center Settings --> Protected View --> Uncheck "Enable Protected View for files originating from the Internet" check box.
  2. OR....Open your Windows Control Panel and open Internet Options-->Security tab-->Single click the Trusted Sites icon-->Sites button-->type: https://www.yoursite.com>Add button-->Close-->OK

Views

502

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Aug 16, 2016 0
Engaged ,
Aug 16, 2016

Copy link to clipboard

Copied

Actually, the functionality has not changed in CF11.  You're simply a victim of circumstance in that you upgraded to CF11 at the same time Microsoft decided to patch Excel and cause the exact behavior you're describing.  The best part...they did this on purpose!

Here is their official blog where they "apologize" for this behavior.

Update 8/9/2016: Excel Workbooks may not open after installing MS16-088 – The Microsoft Excel Suppor...

Upon reviewing the blog while writing this reponse it looks like they've actually released some fixes if you scroll to the bottom of the blog.

So, your users can install the fix or there are a couple ways to allow the download in Excel:

  1. Open Excel. Go to File-->Options --> Trust Center --> Trust Center Settings --> Protected View --> Uncheck "Enable Protected View for files originating from the Internet" check box.
  2. OR....Open your Windows Control Panel and open Internet Options-->Security tab-->Single click the Trusted Sites icon-->Sites button-->type: https://www.yoursite.com>Add button-->Close-->OK

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 16, 2016 0
New Here ,
Aug 17, 2016

Copy link to clipboard

Copied

Or, so I have been told by my developers, use the cfspreadsheet tag.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 17, 2016 0
Engaged ,
Aug 17, 2016

Copy link to clipboard

Copied

CFSpreadsheet will give same results.  Blank Excel file.

It's an MS issue.  Not CF.  Not CF code.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 17, 2016 0
New Here ,
Aug 17, 2016

Copy link to clipboard

Copied

We fell prey to this, as well.  MS elevating the threshold for excel files, with no notice, was bad form.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 17, 2016 0