tracker issue : CF-4203278

select a category, or use search below
(searches all categories and all time range)
Title:

cfxml incorrectly triggers io.FilePermission

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/PRNeedInfo

Reporter/Name(from Bugbase): Yuliang Ruan / ()

Created: 08/16/2018

Components: Security, Sandbox

Versions: 2016

Failure Type: Incorrectly functioning

Found In Build/Fixed In Build: 2016.0.06.308055 C:/ColdFusion2016/cfusion/lib/updates/chf20160006.jar JRE 1.8.0_171 /

Priority/Frequency: Normal / All users will encounter

Locale/System: / Win 2016

Vote Count: 0

Problem Description:
with sandbox on, <cfxml> is trying to use xml content to check read/write permissions

Steps to Reproduce:
c:\htdocs\pmall_admin\tests\
<cftry>
	<cfxml variable="doc">
	<foo>
	</foo>
	</cfxml>

	<cfcatch type="Any">
		<cfdump var="#cfcatch#">
	</cfcatch>
</cftry>

Actual Result:


Message	access denied ("java.io.FilePermission" "c:\htdocs\pmall_admin\tests\<foo> <\foo>" "read")
Permission	
object of java.io.FilePermission
Class Name	java.io.FilePermission
Methods	
Method	Return Type
equals(java.lang.Object)	boolean
getActions()	java.lang.String
hashCode()	int
implies(java.security.Permission)	boolean
newPermissionCollection()	java.security.PermissionCollection
Parent Class
StackTrace	java.security.AccessControlException: access denied ("java.io.FilePermission" "c:\htdocs\mall_admin\tests\<foo> <\foo>" "read") at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkRead(Unknown Source) at java.io.File.exists(Unknown Source) at coldfusion.xml.XmlProcessor.getSourceURL(XmlProcessor.java:444) at coldfusion.xml.XmlProcessor.parse(XmlProcessor.java:254) at coldfusion.tagext.lang.XmlTag.doEndTag(XmlTag.java:112) at cftestCertona_yr2ecfm1452979413.runPage(c:\htdocs\pmall_admin\tests\testCertona_yr.cfm:3) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:253) at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:737) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:573) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.IpFilter.invoke(IpFilter.java:45) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:505) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:153) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:219) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at sun.reflect.GeneratedMethodAccessor51.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at sun.reflect.GeneratedMethodAccessor50.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor50.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:513) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Unknown Source)

Expected Result:

Any Workarounds:

Attachments:

Comments:

we have another process that has similar error result, but that one isn't using <cfxml> rather it's using XmlParse() and XMLSearch()
Comment by Yuliang R.
29522 | August 16, 2018 11:24:45 PM GMT
Hi Yuliang Ruan, I ran the test code snippet present in the try-catch block, I do not see an exception. Could you tell me the location of your testcase and the webroot of your server. Also, is this the exact code that generates the error for you? Thanks!
Comment by S P.
29568 | August 21, 2018 07:03:07 AM GMT
Hi Yuliang Ruan, I ran the test code snippet present in the try-catch block, I do not see an exception. Also ran code snippets for xmlparse and xmlsearch, I do not see the issue. Could you tell me the location of your testcase and the webroot of your server. Also, is this the exact code that generates the error for you? Thanks!
Comment by S P.
29640 | August 30, 2018 05:36:21 AM GMT
Closing the bug for now, since there has been no response on it. But if you still do see the issue, do get back to us, we would reopen the bug. Thanks!
Comment by S P.
29662 | September 05, 2018 05:25:58 AM GMT