tracker issue : CF-4171993

select a category, or use search below
(searches all categories and all time range)
Title:

400 error thrown when attempting to call a module named 'bootstrap.cfm' (certain directories only)

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/CannotReproduce

Reporter/Name(from Bugbase): Tim Parker / Tim Parker (Tim Parker)

Created: 07/12/2016

Components: Core Runtime

Versions: 2016

Failure Type: Crash

Found In Build/Fixed In Build: CF2016_Update1 /

Priority/Frequency: Major / Some users will encounter

Locale/System: ALL / Linux

Vote Count: 0

Problem Description: It seems that CF has an over-eager security test for certain modules named 'bootstrap.cfm' - see steps

Steps to Reproduce:
create the following directories:
resources
resources/code

create 'call-bootstrap.cfm' in the root directory
 <cfinclude template="resources/code/bootstrap.cfm">

create 'bootstrap.cfm' in the resources/code directory
 <cfoutput>got here at #Now()#<br /></cfoutput>

browse to call-bootstrap.cfm - 400 error
rename bootstrap.cfm to bootstrap2.cfm, update the CFInclude - code runs as expected

NOTE: this will be reproducible in some locations and not in others.  In our case, the failure happens when 'call-bootstrap.cfm' is located in the /home/content/public/issues/customcf/rtk (a CF mapping exists to map "/" to "/home/content/public/", which is also the web server's document root) - but if we move this to another location, the problem goes away

We also put in a simple 'Application.cfm' (in the same directory as call-bootstrap.cfm, containing nothing more than a simple CFOutput) to ensure that the problem is not with our environment.




Actual Result:

Expected Result:

Any Workarounds:

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4171993

External Customer Info:
External Company:  
External Customer Name: Tim Parker
External Customer Email:  
External Test Config: My Hardware and Environment details:

 CFML Engine Version: ColdFusion Server 2016.0.02.299200 (Apache Tomcat/8.0.32)

         JVM version: 1.8.0_92-b14 - [64 bits, Linux] - CentOS 7 with latest patches

     JVM memory (MB):  max:1974.5 total:1974.5 free:1467.3

 CFML Engine Started: 2016-07-11 13:00:13.392 (running for 21 hours and 11 minutes)

Attachments:

Comments:

The obvious work-around is to rename the target module to something else, but it's very disturbing to know that there are magic filenames which will cause crashes in apparently random locations for no apparent reason.
Comment by External U.
2194 | July 12, 2016 02:18:15 PM GMT
UPDATE: checked caching settings - 'Cache template in request' and 'Component cache' were the only items checked. Unchecked both, used the 'clear template cache now' and 'clear component cache now' buttons, then restarted CF - this resolves the original problem. HOWEVER... this points to two deeper problems: 1) the 400 error was being thrown without any useful diagnostic information and with (apparently) no log entries (at least nothing containing the problem filename) 2) if this really was just a corrupted class in memory... that error should be caught and should trigger a recompile so as to replace the bad object. Nobody should have to restart a production server just because a class got corrupted
Comment by External U.
2195 | July 12, 2016 05:08:24 PM GMT
Tim, We tried multiple times to repro this issue. But unfortunately. we are unable to reproduce this issue. Have you ever experienced this issue after clearing cache and restarting the server? -Nimit
Comment by Nimit S.
2196 | August 09, 2016 06:13:05 AM GMT
we have not encountered this error again - I suspect that the VM where we encountered this was somehow corrupted, since we also have not seen this on any other VMs.
Comment by External U.
2197 | August 09, 2016 07:57:14 AM GMT
Thanks for the update Tim. I am closing this bug for now. If you experience this issue again please feel free to reach out to us. We will re-open this bug.
Comment by Nimit S.
2198 | August 09, 2016 08:06:00 AM GMT