tracker issue : CF-4206929

select a category, or use search below
(searches all categories and all time range)
Title:

odd behavior with xmlParse and CF 2016 when in sandbox mode

| View in Tracker

Status/Resolution/Reason: To Track//PRNeedInfo

Reporter/Name(from Bugbase): Justin H. / ()

Created: 02/03/2020

Components: Security, Sandbox

Versions: 2016

Failure Type: Usability Issue

Found In Build/Fixed In Build: CF 2016 update 13 /

Priority/Frequency: Normal / Very few users will encounter

Locale/System: English / Win 2016

Vote Count: 3

Problem Description: We recently upgraded from CF 11 to CF 2016. Occasionally we are getting this error access denied ("java.io.FilePermission"... when trying to parse an in memory xml string. We have our application sandboxed, so we don't get this error when sandboxing is turned off but we do get when sandboxing is turned on.

Steps to Reproduce: Sandbox a CF application so it is not allowed to write to applications directory. Call an REST/SOAP service that returns a XML string. Call xmlParse on the response.

Actual Result: See Post https://community.adobe.com/t5/coldfusion/odd-behavior-with-xmlparse-and-cf-2016/m-p/10899830?page=1#M184450

Expected Result: Converts XML text into an XML document object

Any Workarounds: We are using FW1 so the model is getting cached. If I restart ColdFusion that seems to fix the problem, however the other day it did not fix the problem in production and I have since had to turn off Sandboxing altogether since it's an all or nothing swithc.

Attachments:

Comments:

Hi,   Can you share the exception logs when you see this error?   Thanks, Kailash
Comment by Kailash B.
33122 | February 14, 2020 05:38:54 AM GMT
Having same issue with CF11 after updating Java 8 to 241. Opened another ticket for that. https://tracker.adobe.com/#/view/CF-4207236
Vote by Miguel F.
33152 | February 18, 2020 08:52:25 PM GMT
Here is the stack trace java.security.AccessControlException: access denied ("java.io.FilePermission" "z:\file_path_scrubbed\models\<cas:serviceResponse xmlns:cas='http:\www.urlscrubbed.com'> <cas:authenticationSuccess> <cas:user>scrub.user<\cas:user> <\cas:authenticationSuccess> <\cas:serviceResponse> " "read") at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkRead(Unknown Source) at java.io.File.exists(Unknown Source) at coldfusion.xml.XmlProcessor.getSourceURL(XmlProcessor.java:444) at coldfusion.xml.XmlProcessor.parse(XmlProcessor.java:254) at coldfusion.xml.XmlProcessor.parse(XmlProcessor.java:246) at coldfusion.runtime.CFPage.XmlParse(CFPage.java:265) at cfCAS2ecfc850593689$funcSERVICETICKETVALIDATE.runFunction(z:\file_path_scrubbed\models\CAS.cfc:58) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:654) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:443) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:413) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3247) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3224) at cfCAS2ecfc2135509330$funcVALIDATE.runFunction(z:\file_path_scrubbed\services\CAS.cfc:74) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:539) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:659) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:468) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3169) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3144) at cfAuthenticatorCAS2ecfc1315165634$funcCHECKLOGINSTATUS.runFunction(z:\file_path_scrubbed\models\AuthenticatorCAS.cfc:29) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:654) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:443) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:413) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3247) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3224) at cfApplication2ecfc1662216193$funcSETUPREQUEST.runFunction(z:\file_path_scrubbed\Application.cfc:1050) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3697) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3677) at cfframework2ecfc1873529245$funcSETUPREQUESTWRAPPER.runFunction(z:\file_path_scrubbed\org\corfield\framework.cfc:1728) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3697) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3677) at cfframework2ecfc1873529245$funcONREQUESTSTART.runFunction(z:\file_path_scrubbed\org\corfield\framework.cfc:769) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3697) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3677) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3267) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3224) at cfApplication2ecfc1662216193$funcONREQUESTSTART.runFunction(z:\file_path_scrubbed\Application.cfc:960) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:654) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:443) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:413) at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:114) at coldfusion.runtime.AppEventInvoker.onRequestStart(AppEventInvoker.java:285) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:473) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:153) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:223) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at sun.reflect.GeneratedMethodAccessor76.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:356) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:507) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Unknown Source)
Comment by Justin H.
33150 | February 18, 2020 09:19:45 PM GMT
There's more information on the Forum. https://community.adobe.com/t5/coldfusion/odd-behavior-with-xmlparse-and-cf-2016/m-p/10884153?page=1#M184365
Comment by Justin H.
33151 | February 18, 2020 09:20:47 PM GMT
Did Adobe reach out to you on this? They have a hotfix for this now.
Comment by Miguel F.
33170 | February 21, 2020 12:36:20 PM GMT
Hi Miguel, No they have not reached out to me.
Comment by Justin H.
33226 | March 02, 2020 06:41:10 PM GMT
We have recently encountered a similar issue after implementing CF2016 HF13 with Java 11.0.5 in place.
Vote by Paul T.
33256 | March 08, 2020 01:01:13 PM GMT