tracker issue : CF-4193907

select a category, or use search below
(searches all categories and all time range)
Title:

CF2016 sandobx bug?

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/CannotReproduce

Reporter/Name(from Bugbase): Jim Frankowski / Jim Frankowski (Jim Frankowski)

Created: 09/28/2016

Components: Security

Versions: 2016

Failure Type: Non Functioning

Found In Build/Fixed In Build: CF2016_Update1 /

Priority/Frequency: Trivial / Unknown

Locale/System: English / Win 2012 Server x64

Vote Count: 0

Problem Description: working thru 2016 lockdown guide.  Sent to work with sandbox security. Allowed some tags/functions/ others disallowed; folder with cfm files has read/execute permissions restart coldfusion, IIS-public mapped site fails to find a js file (java.io.permission).  Do nothing else but go into cfadmin and sign in, all of a sudden IIS-mapped public site works without a hitch

Steps to Reproduce: disable sandbox security; restart CF; enable sandbox security; restart cf; go to public facing site and see error; on another tab enter into cfadmin, go back to original tab... public site works.

Actual Result:

Expected Result:

Any Workarounds:
see above

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4193907

Reason:	PRHaveInfo

External Customer Info:
External Company:  
External Customer Name: Jim Frankowski
External Customer Email:  
External Test Config: My Hardware and Environment details:

Attachments:

  1. October 05, 2016 00:00:00: 1_cf_sandboxlogs_sanitized.zip

Comments:

ACTUAL ERROR MESSAGE: Security: The requested template has been denied access to D:/CF2016/<FOLDERNAMEHERE>/wwwroot/cf_scripts/scripts/ajax/messages/cfmessage_en_US_.js. The following is the internal exception message: access denied ("java.io.FilePermission" "D:/CF2016/<FOLDERNAMEHERE>/wwwroot/cf_scripts/scripts/ajax/messages/cfmessage_en_US_.js" "read") Note that in CF Admin Server Settings -> Settings I have the Default ScriptSrc Directory set to "/cfscripts-091616" And IIS has a Virtual Directory mapping "cfscripts-091616" to "D:\CF2016\<FOLDERNAMEHERE>\wwwroot\cf_scripts\scripts"
Comment by External U.
1723 | September 29, 2016 07:16:51 AM GMT
Hi Jim, Does this happen to you on CF10/11 lockdown guide setup as well? Thanks!
Comment by S P.
1724 | October 03, 2016 04:42:05 AM GMT
Hi. I'm not certain of CF10/11 - I am working on prepping a migration to CF2016. I can tell you with certainty that I can replicate it 100% of the time on multiple CF instances/sites. I have the public facing site running through IIS and the admin running thru the native Tomcat server. Additionally, I created a new site with the sandbox security settings being that it points to my directory and added permission to the 1 data source. Restart the instance in one tab and the error occurs; log into cfadmin in a separate tab then toggle back and refresh the 1st tab: the site works. To rule certain things out, I removed all "Deny" sequences in IIS under request filteringand only have the one virtual directory pointing to the cf_scripts folder as instructed in the guide. I will replicate and try to extract (and sanitize) additional info from the CF log files and attach to bug.
Comment by External U.
1725 | October 03, 2016 01:51:50 PM GMT
Sure Jim, the logs would be really helpful to debug the issue. Thanks!
Comment by S P.
1726 | October 04, 2016 12:55:27 AM GMT
logs (sanitized) attached and annotated from clean log, starting CF with sandbox enabled, browsing to page, opening admin, refreshing.
Comment by External U.
1727 | October 04, 2016 02:16:21 PM GMT
(bump) Any information on this? I had to reboot the server for a Windows update and can again confirm that behavior consistently occurs when each instance's service (with sandbox enabled) is restarted.
Comment by External U.
1728 | October 14, 2016 07:01:52 AM GMT
Is there any additional information I can provide to help isolate why this is happening?
Comment by External U.
1729 | October 27, 2016 11:53:16 AM GMT
OK... Time is marching forward and I'm curious if there has been any movement on this?
Comment by External U.
1730 | December 01, 2016 07:54:37 AM GMT
Hi Jim, We have been trying to repro this issue, but have not been able to encounter it yet. Will be trying it with new settings/environment again. Else is it possible that we can have a session where we can have a look at the issue in your machine, so that we can debug it. Thanks!
Comment by S P.
1731 | December 02, 2016 08:04:26 AM GMT
I believe this is possible, but will need to confer with sysAdmin and management. Would you be able to send an email off-line to the address in my profile so we can set up details? Thank you!
Comment by External U.
1732 | December 02, 2016 12:09:23 PM GMT
Hey Jim, Closing this bug for now as there has been no response with the same. But do let us know in case as discussed you were able to replicate the issue, we would be re-opening the issue. Thanks!
Comment by S P.
1733 | October 09, 2017 07:08:11 AM GMT